Semperis Team

Just as the impact of cyberattacks is not confined to the IT department, the role of the CISO has expanded beyond the security team. With organizations and analysts now acknowledging that identity is the new security perimeter, overseeing a comprehensive identity-first security strategy has become an essential CISO responsibility. What do CISOs need to know about Identity Threat Detection and Response (ITDR)? Here, our experts provide five important steps for forward-thinking security leaders.

1. Focus on identity-first security for stronger operational resilience

Simon Hodgkinson, former CISO at bp and Strategic Advisor at Semperis, says that operational resilience should be top of mind for both security and business leaders. And enabling full resilience involves much more than having a generic disaster recovery plan.

“Disaster recovery is fairly narrow in its definition and typically viewed in a small timeframe,” Hodgkinson says. “Operational resilience is much broader, including aspects like the sort of governance you’ve put in place; how you manage operational risk management; your business continuity plans; and cyber, information, and third-party supplier risk management…. Resilience must be built into everything.”

This level of resilience depends on strong security for your identity infrastructure. For more than 90 percent of organizations, that means Active Directory (AD) and Azure AD. After all, if AD isn’t working, nothing is. As Hodgkinson says, “Active Directory is at the very core of your ability to operate and deliver business outcomes, and it needs to be part of your operational resilience strategy instead of being treated as an island.”

2. Build a comprehensive ITDR strategy

“Gartner drew a lot of attention late last year to identity threat detection and response (ITDR) solutions,” says Semperis Principal Technologist Sean Deuby. “There are many ways to strengthen your defenses, but the most productive step that organizations can take this year is to prioritize identity-focused security.”

Such a strategy should include specific procedures, processes, and responsibilities for protecting your hybrid identity infrastructure across the AD attack lifecycle: before, during, and after an attack. It should include a plan for AD-specific backup and recovery and regular monitoring to identify identity-related vulnerabilities. And it should identify interdependencies between your identity systems and operational technology (OT).

3. Get a realistic view of your identity attack surface

“Most attacks involve identity and, regardless of their initial access point, threat actors typically go through AD to gain ground in your environment,” explains Deuby. “So, a great place to start is evaluating and reducing your AD attack surface.”

This necessary step needn’t be difficult or expensive. Powerful tools like Purple Knight, which helps you spot gaps and vulnerabilities that often have existed for years, and Forest Druid, which helps you identify your most important identity assets and the access paths to them, are available for free. No installation or special permissions are required, and the tools provide a clear snapshot of potential vulnerabilities—and indicators that attackers might already have breached your identity perimeter. You also get actionable guidance for closing existing gaps.

4. Automate identity protection for a faster response

Forbes recommends that CISOs focus on solutions for automating threat prevention. “Automation and an API-first approach can help streamline processes, reduce the risk of human error and improve the efficiency of cybersecurity teams,” Forbes notes. “This includes the use of automation in tasks such as vulnerability management, incident response, and compliance checks.”

Automation can reduce the workload on resources as well as reduce human error and speed incident response. And when it comes to protecting your Tier 0 identity assets, speed is of the essence.

During the infamous Maersk NotPetya attack, for example, ransomware spread across the network at record speed. “By the second you saw it, your data center was already gone,” Craig William, Cisco’s Talos division’s Director of Outreach, told Wired.

This is why expert ITDR solutions enable automated rollback of changes to AD. Semperis Directory Services Protector (DSP) automates remediation and enables customized triggers and alerts, so that organizations can respond to cyber threats as quickly as possible.

Automating AD recovery is another vital capability. Manual recovery can take days or even weeks, compared with as little as under an hour with Semperis Active Directory Forest Recovery (ADFR).

5. Prepare for the worst

“I suspect that we’re going to see continued growth in cybercrime, across all fronts, not just in 2023 but for years to come,” warns Deuby. “According to the Statista Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027, averaging anywhere from 21% to 36% yearly growth. This trend carries a clear message: Keep working on security basics and closing the most common attack paths.”

Security experts are fond of saying that cyberattacks are a matter of “when, not if.” CISOs should prepare for that “when” by having an AD-specific backup and detailed AD recovery plan—and by testing both regularly. Traditional backups include both AD and the OS, which can include malware. Malware can hide in your environment for weeks or months, corrupting backups so that recovery reinfects your systems. And the last thing you need is to discover flaws in your backup or recovery plan during an active cyberattack.

Learn more

Many of the world’s largest organizations rely on Semperis identity security experts to help them protect and recover their Active Directory and Azure AD infrastructures. Recognized Semperis as an expert ITDR solutions provider, Semperis solutions and services focus on hybrid identity protection throughout the AD attack lifecycle—before, during, and after an attack.