Silverfort Research Shows Gaps, Opps in Identity Security

New research from Osterman Research and Silverfort reveals a distinct disconnect in identity security for organizations.

80 percent lack visibility into threats, even as most believe they have “mature” security

The report, “Strengthening Identity Security: Governance, Visibility, and Autonomous Remediation,” found that nearly 70 percent of organizations surveyed believe their defenses are “mature,” but 80 percent lack complete visibility into identity threats.

In a blog post, Silverfort refers to this disconnect as the “maturity myth,” in that confidence is outpacing capability.

“A lack of industry standards for what identity security is and what it should deliver may be partially to blame for this maturity myth,” Victoria Berryhill, an independent communications consultant, wrote in a blog post for Silverfort. “This maturity myth is more than a perception problem. It’s a tool problem. It’s a business risk. It’s indicative of an industry at an inflection point. Lack of budgets, resources, and tooling created delays in action and missed opportunities to mature enterprise identity security programs.”

Key findings from the report to highlight include:

• Over the past year, 60 percent of identity leaders have observed adversaries becoming increasingly interested in stealing and abusing compromised credentials, and nearly 80 percent lack visibility into what non-human identities (NHIs)/service accounts are actually doing.
• Roughly 72 percent of identity leaders said the threat level of identity-related attacks has increased or remained unchanged in the past year.
• Four out of five identity leaders lack full visibility into three critical risks, including service accounts behaving in unexpected ways, authentication session tokens being used in abnormal locations, and compromised employee credentials being sold on the dark web.
• For organizations using tools to detect compromised credentials on the dark web, 60 percent claimed maturity, but only 22 percent could demonstrate it.
• For backup and recovery of identity platforms, 71 percent claimed maturity, but only 41 percent had evidence to support this claim.

“Whether you’re securing your endpoints, cloud, or network, visibility is a prerequisite,” Berryhill writes. “Identity should be treated like any other piece of critical IT infrastructure, and protected the same way– if not even more so. When attackers use valid– but stolen– credentials, traditional defenses are often insufficient, making visibility even more important.”

Leadership is paying attention to these findings surrounding identity security. The report found that 84 percent of respondents cite identity security as a clear cybersecurity priority.

Further, a majority of executives (51 percent) awarded identity security the highest rating (extremely important), which is nearly twice as many as in 2023, when just 28 percent said it was “extremely important.”

Reversing the maturity myth: Silverfort’s roadmap to resilience

The maturity myth is not necessarily permanent, and Silverfort says that with the right investments, organizations can build true identity resilience.

The research paper provides a roadmap for strengthening an organization’s identity security posture.

Step one: detection

The roadmap starts with enhancing the detection of misused compromised credentials and investing in the following technologies:

• Detection of compromised credentials on dark web forums for proactive autonomous remediation and reduction of the potential threat space.
• Stronger forms of multifactor authentication (MFA) to eliminate the possibility of MFA bypass attacks.
• ITDR for detecting inappropriate credential use based on correlating underlying signals and behavioral abnormalities.

Step two: stopping escalation in real-time

Next, organizations should focus on stopping lateral movement and privilege escalation in real-time. With identity security capabilities working in concert, organizations can address lateral movement and privilege escalation.

The report emphasizes that half of the organizations believe their confidence in stopping lateral movement or privilege escalation will increase with better tooling.

Among these capabilities for stopping these malicious activities are:

• Detection of compromised credentials on dark web forums for proactive autonomous remediation and reduction of the potential threat space.
• Visibility into where identities are being used to access systems and data, combined with the tracking of changes in rights and privileges, enables the baselining of behaviors and actions associated with each identity.
• Extending MFA processes to all access interfaces and authentication protocols across an Active Directory environment, including command line access tools like PsExec and PowerShell. Inline authentication controls can determine if an authentication is legitimate and preemptively stop suspicious authentications.
• Backup and recovery for identity platforms, for autonomous reversal of malicious, accidental, or unwarranted changes to identity attributes.

Step three: recovery

Improving capabilities for recovering from identity-related issues is next up on the roadmap. Implementing dedicated identity platform backup and restore solutions is a crucial step toward a mature identity security strategy.

Just one out of four organizations has the highest confidence that they could recover from these identity-related issues:

• Malicious actors making unauthorized changes to identity configurations, like Entra ID roles or groups.
• Accidental deletion of identity policies or user access settings.
• Compromise or misconfiguration of cloud identity platforms (e.g. Entra ID, Okta).
• Failure of automated provisioning/deprovisioning pipelines.

Without third-party backup solutions, changes to Entra roles, group memberships, or policies cannot be rolled back, which exposes organizations to significant outages, compliance failures, or privilege escalations. By implementing dedicated identity platform backup and restore solutions, organizations take a step towards a mature identity security strategy.

Step four: assessing risk

Next, organizations must capture identity signals to assess exposure risk. An organization with the right optics to detect early signs of compromise and the process maturity to respond achieves the fastest and optimal response through autonomous action.

Just 30.2 percent of those surveyed said they achieved this standard based on continuous visibility, risk scoring, and response actions. Meanwhile, a much larger group (57.1 percent) says they have the automated signals and scoring part, but lack autonomous response ability.

Step five: increasing the likelihood of early detection

The next step is to enhance identity security detections and policies to increase the likelihood of early detection of malicious and abnormal identity signals.

External threat intelligence and breach data feeds provide a way of enriching internal assessment capabilities without having to do the heavy lifting alone.

Step 6: bring executives to the table

Lastly, organizations should strengthen executive support for identity security, as it plays a key role in validating the growing importance of securing identities and allocating budget and support for investments to improve their identity security posture.

Identity security is only becoming more critical to many organizations

The research indicates that the importance of identity security is on the rise. Currently, 51.6 percent of respondents said identity security was “extremely important,” compared to just 27.8 percent two years ago.

Threat actors are increasing their interest in stealing and abusing compromised credentials, often leveraging social engineering to gain access. With this in mind, all organizations must urgently reassess their identity security protections, the research suggests, along with deploying new or advanced solutions to enhance their identity security posture and mitigate exposure to the negative implications of credential-based threats.

To improve how organizations evaluate and enforce trust across devices, users, and workloads, providers are making enhancements and offering new solutions. Read more about SecureW2’s latest updates to introduce adaptive security, zero-trust access, and continuous identity verification.