Go back

Breaking The Vicious Cycle of Compromised Identities

Breaking the Identity Cycle


As we at Rezonate  analyze the 2023 Verizon Data Breach Investigations Report, an unmistakable deja vu moment grips us: A staggering 74% of all breaches are still exploiting the human factor — be it through errors, misuse of privileges, stolen credentials, or social engineering. This recurring theme serves as a clear call for businesses to switch gears and move away from static security approaches towards a more dynamic, identity-centric model.

An Unyielding Threat Landscape

Year after year, our IT landscape and attack surface continue to expand. Cloud adoption has soared, hybrid work becoming the norm, and our infrastructure continues to evolve. Yet, the threat statistics remain frustratingly consistent. This consistency points to a key issue: our security measures aren’t keeping up. Traditional security approaches, designed for a static operational model, distributed across tools and teams, are only increasing complexity and not meeting the demands of an ever-changing, dynamic infrastructure.

In turn, this provides ample opportunities for attackers. The commonplace of Shadow access, increased attack surface, and greater reliance on third-parties all present identity access risks, making it harder see, understand and secure the enterprise critical data and systems.

How Are Attackers Winning?

Attackers are using simple yet effective methods to gain access to valuable data without the need of any complex malware attacks. A variety of account takeover tactics, bypassing stronger controls such as MFA, compromising identities, access, credentials and keys, brute forcing email accounts, and easily laterally expanding as access is permitted between SaaS applications and cloud infrastructure. Stolen credentials continue to be the top access method for attackers as they account for 44.7% of breaches (up from ~41% in 2022). Threat actors will continue to mine where there’s gold: identity attacks across email, SaaS & IaaS, and directly across identity providers.

Where We Fall Short

Security teams are challenged by their lack of visibility and understanding of the entire access journey, both across human & machine identities, from when access is federated to every change to data and resource. We’re also seeing gaps in real-time detection and response, whether it be limiting user privileges or accurately identifying compromised identities. These shortcomings are largely due to our reliance on threat detection and cloud security posture management technologies that fail to deliver an immediate, accurate response required to successfully contain and stop identity-based threats.

What Should You Do Different?

We’re observing that businesses adopting an identity-centric approach: 

  • Gain a comprehensive understanding of their identity and access risks, further breaking data silos,
  • Are able to better prioritize their most critical risks and remediation strategies,
  • Can more rapidly adapt access and privileges in response to every infrastructure change ,
  • Automatically mitigate posture risks before damage is inflicted, and
  • Confidently respond and stop active attacks.

Identities and access, across your cloud, SaaS, and IAM infrastructure, is constantly changing. Your security measures must evolve in tandem. The identity-centric operating model enables businesses to proactively harden potential attack paths and detect and stop identity threats in real-time.

Breaking the cycle in Verizon DBIR 2024

Now is the time to make a change. Let’s change our old set-and-forget habits and know that security needs to be as dynamic and adaptive as the infrastructure it is protecting. 

For more information about how can Rezonate help you build or further mature your identity security, contact us and speak with an identity security professional today. 

This post was written by Roy Akerman, CEO and Co-Founder at Rezonate, and former head of the Israeli Cyber Defense Operations.

Continue Reading

More Articles
The Essential User Access Review Template

The Essential User Access Review Template [Checklist Download]

Imagine having the power to scrutinize user permissions with the finesse of a master locksmith, uncovering hidden backdoors and granting access only to the deserving. Sounds great, right? However, in order to do that, we need to first start our process with a User Access Review (UAR). As cloud adoption continues to surge ahead, User Access Reviews are increasingly becoming essential as part of any access management audit process. This necessity is punctuated by the fact that 33% of breaches have human error at their root, but it's not always the user's fault. Some employees are over-privileged without even realizing it, and it's easy for inactive accounts to fly under the radar without regular auditing and UARs.  It's no longer just about who is on your network; a UAR tackles the chaos by ensuring everyone has the right key to do their job – no more, no less. Beyond being a best practice, User Access Reviews are often mandated under regulatory frameworks. Let’s decode the DNA of this essential template, discovering what a UAR is, why you need it, and how to do it. What is a User Access Review? A User Access Review (UAR) is a security and compliance process that ensures that only authorized individuals can access specific systems and data within an organization. Conducted periodically (e.g., monthly or quarterly) or during role changes, a User Access Review is an essential part of your cloud security toolkit, helping you create an inventory of user accounts and their privileges and verify their appropriateness based on job roles.  Managers or system owners often participate in the review to confirm the necessity of these privileges. The process identifies and rectifies inactive, duplicate, or overly privileged accounts, reducing the risk of unauthorized access and leaked secrets. UARs are crucial for meeting regulatory requirements like NIST and GDPR and maintaining a secure environment. Why Do You Need to Do a User Access Review? Imagine an intern with more access rights than your CEO – it's not a crazy or far-fetched idea. Organizations often grant access rights but neglect the importance of revocation. This leads to something called privilege creep, where permissions accumulate as employees transition roles, support other teams, or simply navigate their tasks.  Unfortunately, the accumulation of access rights is a ticking time bomb, as excessive privileges expose your organization to the cycle of compromised identities, account takeover, misuse of privileges, and other threats. Regularly auditing who has access to certain resources allows organizations to better defend against internal and external threats – after all, it only takes one disgruntled employee to trigger a significant data leak.  A User Access Review offers a way to maintain accountability, visibility, and data integrity across your organization, eliminating cloud identity risk. While having the exact permissions they need helps streamline employees' workflows, visibility into active, inactive, and redundant accounts is particularly valuable in forensic investigations following data breaches or during employee transitions.   Download the Free User Access Review Checklist Which Standards Require User Access Review Access reviews aren't just a choice; they are a mandate dictated by various IT frameworks: ISO 27001: Achieving ISO 27001 certification requires organizations to demonstrate a commitment to systematically managing and protecting sensitive information and data.  GDPR: Europe's data protection regulation emphasizes limiting access to personal data to individuals with a legitimate interest. This necessitates audits of who can access personal data, reinforcing compliance. NIST: The NIST Cybersecurity Framework is a voluntary guideline for cybersecurity best practices, and its special publications, like 800-53 and 800-171, stress auditing accounts for compliance. PCI DSS: The Payment Card Industry Data Security Standard ensures that all organizations that accept, process, store, or transmit cardholder information meet strict access control and cybersecurity compliance requirements. The Essential User Access Review Template From creating an access policy and involving stakeholders to embracing the principle of least privilege, here are the essential steps you can take to complete a User Access Review. Regularly Update Your Access Management Policy You can continually review and update your access management policy to reflect organizational changes, new technologies, or compliance requirements. Establish a schedule for these reviews, such as quarterly or biannually, to ensure the policy remains current and effective. You can also get everyone involved and consult with departments like IT, HR, and legal during a policy update to ensure it is comprehensive and aligns with all organizational needs. Review the User Access Audit Procedure Keep your processes agile by continually assessing how you conduct User Access Reviews. Firstly, you can revisit your audit procedures to ensure they align with current best practices and regulatory requirements. Secondly, make sure you know what data you'll collect, how you'll analyze it, and what metrics will indicate success or issues. Finally, you can utilize audit software or tools that provide detailed logs and real-time monitoring capabilities to streamline the audit procedure. Implement Role-based Access Control Use Role-based Access Control (RBAC) to assign permissions based on roles within the organization. This makes managing and reviewing access rights easier, as employees changing roles can simply be switched from one predefined role to another, aligning access with job responsibilities. Periodically re-evaluate the roles and associated permissions to ensure they remain aligned with changing job responsibilities and organizational structures. Involve Regular Employees and Management While it's your job as DevOps, CISO, SecOps, or IAM engineer to prioritize access control, it's also everybody's concern – yep, right down to the interns and temp staff. Be sure to include both regular employees and management in the review process to get a 360-degree view of access needs and usage. Management can confirm which access levels are appropriate for specific job roles, while employees can identify potentially unnecessary or missing access privileges. Structured interviews or surveys can help gather insights about access needs and potential security risks. Document Each Step of the Process Thorough documentation is your ally in understanding challenges and optimizing the review process. Maintaining comprehensive documentation of the User Access Review is critical for audit trails and future reviews. As a bare minimum, you should record who was involved in each step, what changes were made, and why, as well as any anomalies or issues that arose and how they were addressed. Securely store the documentation in a centralized repository that is only accessible to authorized personnel (of course!) to maintain confidentiality and integrity. Educate Your Personnel You don’t know what you don’t know, right? All employees should be aware of the importance of proper access management for security and compliance. Provide training on requesting access, reporting issues, and understanding the impact of access controls on data security. Implement regular refresher courses and updates to keep the workforce on top of any changes in policy or emerging security threats, and pair the training with other cybersecurity know-how sessions like phishing simulations. Choose the Right Access Management Platform You can choose an access management platform to automate privilege management and help meet compliance goals. The right platform will facilitate reviews, manage role-based access controls, and offer features like automated alerts for suspicious activity or non-compliance. Most companies are already jumping on board – this year, 65% of large enterprises will use IAM software to enhance security measures and make compliance easier. For example, some platforms (like Rezonate) help you see IAM problems and solutions by discovering, profiling, and protecting human and machine identities, automatically and proactively enforcing real-world least privileged access.  Get a Complete Picture of Your Access Control Compliance  User Access Reviews have emerged as a critical weapon against unauthorized access and potential breaches, and the secret to success relies on the regularity and longevity of your IAM strategy. Thankfully, protecting identities and meeting regulatory targets doesn’t mean adding more tasks to your to-do list – simply automate it.  Rezonate simplifies compliance tasks by enabling Admins to easily confirm that each user has the correct access rights for their job, providing much-needed visibility over access journeys and the IAM map for confident real-time detection, response, and security.  Rezonate easily categorize and highlights dormant identities across the identity fabric - from workforce identities no longer active, to machine identities such as roles and access keys.  In addition to that, Rezonate enables simple a flow to review access of specific subsets or groups of identities based on specific attributes, such as: Identities that are members of the marketing team and can access the cloud providers such as Azure or AWS Identities that have Administrative privileges and can access SaaS applications such as Salesforce Identities that did not login for more than 30 days and can access specific service on the cloud provider such as RDS in AWS Rezonate’s Identity Centric for Access Review All is done automatically as part of Rezonate’s Identity discovery and effective privileges modules which enables Access Reviews in a click of a button. See Rezonate in action today.
Read More
TX GROUP Case Study

TX Group: Eliminating cloud identity risk with Rezonate

Success for Switzerland’s largest international private media company means always staying ahead of the digital curve – and security is no exception. Rezonate makes this possible. “With Rezonate our DevOps and security teams are now enabled to work hand-in-hand and understand the complete identity story - across our IdP and cloud infrastructure. We reduce manual workload, increase productivity and eventually reduce the time to remediate critical risks.” Andreas Schneider, former Group CISO and Olivier Martinet, current Group CISO for TX Group The Challenge: Finding and Fixing Identity ‘Blind Spots’ – Fast Speed is of the essence in the media industry: news happens fast, and it’s imperative to deliver – and secure – it rapidly, as well.  Detecting identity issues and compromises in this complex environment, Schneider says, was like finding the proverbial “needle in a haystack.” He used several different tools to try to uncover every vulnerability, but he knew that he wasn’t seeing the complete exposure map. But finding and closing the identity and access management gaps seemed nearly impossible. AWS’s own insight tools proved difficult even for the engineers to use. So Schneider sought help – and found it in Rezonate. “We had blind spots. There were things we didn’t really think about. We check configuration, for example, but do we check privileges? If a vendor says they need access to something, it is a real challenge to continuously validate need and actual usage.”  The Solution: A team approach that really works Schneider chose Rezonate to handle TX Group’s  identity management for a number of reasons:  Real problem solving.  Rezonate sees the extent to which identities use their access privileges so TX Group can revoke  access to unused resources and applications – the “least privilege” approach.  “I don’t know of any other technology that does this. Rezonate alone could give us real-time visibility into our cloud accounts as well as guidance for quick response. We now know exactly what’s going on and where, every moment.” Rapid response. TX Group can now spot risky accounts and mitigate them with ease using Rezonate, and its security and DevOps teams can work together to resolve the identity and access issues that are so common in the cloud — without slowing or stopping operations. Rezonate accomplishes this feat via its Identity Storyline™, the brains behind the Rezonate platform. Identity Storyline simplifies complex identity and access problems and provides clear guidance on how to resolve them.Now, using Rezonate, TX Group can quickly see, in context, each identity’s behaviors in the cloud – past as well as present – and know which might increase its risk of breach, as well as how to best remediate.Identity Storyline goes beyond static dashboards to answer the dynamic questions that need always-current answers such as Where are our blind spots? Where have identities changed or deviated from patterns of behavior? Where are our active threats? “Without Rezonate, we would not be able to see these kinds of suspicious activities on all our identity providers and cloud accounts. Before, we were seeing just minor parts of our  identity and access risk. We now have the complete picture, and can make decisions with confidence.” User-readiness. The Rezonate platform software is up and running and ready to use in minutes. “Rezonate takes zero trust to the next level. Rezonate is, for me, the one-stop shop security tool for protecting our identities in the correct way – for identifying and remediating threats.” The Outcomes: A full and complete view of identities, access, and privileges via Rezonate’s Identity Storyline™ – leveling up “zero trust” security for the cloud Faster time from risk discovery to risk remediation – from days or weeks to minutes Reduced workload for DevOps and security teams as automation handles detection and remediation before risks become threats Greater productivity as DevOps works hand-in-hand with security  to safely design, create, and deploy Optimized access permissions, ensuring a “least privileges” approach Proactive, prioritized responses to risk and threats
Read More
Payme Case Study

PayMe: Protecting cross cloud identity and access with Rezonate

Empowering micro businesses to achieve more with a full suite of fintech products means building new tools and functionality fast – without cloud identity and access security slowing teams down. Rezonate makes this possible.  “Partnering with Rezonate to protect identity and access allowed both our security and DevOps teams to feel more secure and confident in how fast we’re moving – despite increasing challenges.” Alexander Sorochan, Head of DevSecOps, PayMe The Challenge: Striking the Right Balance Between Speed, Agility, and Security Financial technology (fintech) companies are innovating with unmatched speed and agility to meet new demands in a digital-first world. But securing this fast-growing industry in sync is proving to be more difficult.  For fintech startup PayMe, one of the biggest security challenges has been cloud identity and access management.  “Swiftly detecting and responding to risks across cloud environments is critical,” says Sorochan, “but it’s next to impossible when security teams are managing access for multiple identities in multiple cloud accounts on different platforms.” Piecing together data across identity sources takes time – something most fintech companies simply do not have to spare.  PayMe knew they needed to act quickly to protect their cloud environment with a security tool that could: Increase operational visibility into cloud identity and access security across platforms Reduce the overwhelming number of insignificant incident alerts and the time spent addressing them Discover and monitor third party cross-cloud access Limit permissions and restrict access to the minimum users required without any impact to operations. With Rezonate, PayMe was able to achieve all of the above, and more.  “Rezonate provides unparalleled visibility into one of the core problems facing fintech today: cloud identity and access. Now, we can prioritize exposures and identify threats as they emerge, without sacrificing speed or agility.”  The Solution: A Single Platform for a United Path Forward PayMe chose Rezonate to protect its cloud identities and access for a variety of reasons: Rapid deployment. Rezonate quickly connected with all of PayMe’s identity and cloud providers, enabling self-launch in no time. Within minutes of deployment, PayMe could see, profile and analyze all of their cloud identities across all of their cloud providers; within hours, PayMe was identifying, prioritizing, and mitigating their most critical risks. The result? A complete view of critical findings for immediate prioritization, instant optimization for access and entitlements, and real-time validation for fixes – all in a single platform.  “Within hours of deployment, we understood the complete picture of our cross-cloud identity and access risks. Our DevOps team uses Rezonate daily to understand context and prioritize critical risks. We are now 10X faster and more effective in remediating security gaps.” Reduced complexity. At Rezonate, simplicity is key to quality security. The brains behind the Rezonate platform, Identity Storyline replaces complex graphs with easy-to-understand storylines that trace every identity risk, exposure and threat from root to impact for a panoramic view at every point in time. Now, PayMe’s security team can spot cloud identity and access weaknesses as they are created, and conclusively determine: What they are and their possible impact Who created them in its original intent Where they exist and how abnormal they are Why they have access and how is that usedHow they might impact security and business operations With complete visibility into its cloud environments from Rezonate, PayMe can now optimize remediation and minimize operational impact using a simple, fast, and unified approach.  A united path forward. Rezonate’s platform brings PayMe’s security and DevOps teams together so they can work as one, quickly identifying and remediating risks across the cloud environment in tandem. With Rezonate, PayMe can holistically connect risk, threat, and operational visibility across teams and across the board. Now, PayMe’s security team can respond with confidence – immediately stopping attacks and wiping out risks from within – freeing their developers to work without security slowing them down.  The Outcomes:  Compliance-ready cloud identity and access security in minutes A proactive security stance with complete coverage for cloud-wide environments Context and automation to prioritize and remediate risks  Active threat detection for prevention before progression Minimized excessive access and administrative permissions Better ability to pinpoint risky exposures, reducing identity exposure debt Visibility into AWS and Okta environments in a single platform
Read More
See Rezonate in Action

Eliminate Attacker’s Opportunity To Breach Your Cloud today

Organizations worldwide use Rezonate to protect their most precious assets. Contact us now, and join them.