Identity Security Insights

Sign up for a complimentary assessment of your current identity security posture, including 30 days of continuous monitoring against active abuse of privileges and paths to privileges.

You can also contact us today.

EDR tools are effective at catching malware on endpoints, but they leave a crucial door unguarded: identity! This is where Identity Security Insights steps in, complimenting your existing EDR strategy by filling the identity gap.

Identity Security Insight goes beyond endpoints to provide a comprehensive view of your entire identity landscape. This includes on-premises systems, cloud platforms, SaaS applications, BeyondTrust products, and identity providers.

Our purpose-built data lake ingests and analyzes vast amounts of identity data from a growing range of sources. This enables our AI and machine learning models to uncover hidden connections between accounts, entitlements, privileges, configurations, and potential paths to privileges that attackers can exploit.

With accurate recommendations, detections, and deep context, you can proactively harden your security posture, mitigate risks, and stop attackers in their tracks.

Identity Security Insights compliments your existing SIEM and other security solutions, enriching SIEM/SoC functions with rich context around identities and privileges and paths to privileges. While our solution integrates seamlessly with your SIEM, SOAR, and other SOC solutions, it transcends simple augmentation. It marks a paradigm shift: true identity-centric security that overcomes the data deluge to deliver granular visibility and proactive defense.

Unlike SIEMs that rely on noisy event logs and require experts to interpret complex data, Identity Security Insights leverages a modern cloud-native platform and AI/ML engine to automatically analyze a wider range of identity data across all your environments. Deep analysis enables prescriptive recommendations to harden your security posture, as well as providing rich detections to identify potential privilege abuse and threats to your identity fabric.

Identity Security Insights goes beyond traditional Cloud Infrastructure Entitlement Management (CIEM) capabilities to offer a broader and more holistic approach to securing your entire identity landscape.

Traditional (CIEM) solutions primarily target cloud platforms, leaving blind spots in your SaaS and on-premises environments, and modern application environments. For example, implementing least privilege access across AWS alone is insufficient, when a misconfigured AD can allow hackers to escalate privileges across domains to breach your entire environment.

Identity Security Insights offers a comprehensive view across your entire identity fabric -- multiple clouds (AWS, Google Cloud, and Microsoft Azure), on-premises (Microsoft Active Directory), IdPs (Okta, Ping, Entra ID) and SaaS applications. This approach enables you to understand where privileges exist, how they are connected, where controls are lacking, and where they may be abused across the organization.

With deep context, you can easily identify and address privilege risks: unusual and sweeping privileges, unused app assignments, and risky or suspicious manipulation of privileges across all environments, not just clouds. This rich and unique data is not simply collected for customers to report and browse on, but also serves as the backbone of our deep ability to detect and prevent the misuse of identities and privileges.

KuppingerCole has recognized BeyondTrust as an ITDR Leader across all categories - Innovation, Product, Market, and an Overall Leader - through our platform and Identity Security Insights. In their report, KuppingerCole noted that "BeyondTrust’s approach to ITDR is uniquely platform agnostic".

Identity Security Insights solves for ITDR by taking a proactive and holistic approach to prevent, detect, and respond to identity-driven threats.

Prevent Attacks on Identity Systems

Identity Security Insights helps you improve your identity hygiene and harden your security posture with prescriptive recommendations that not only pinpoint the risks across your environment, but also explain the “Why” behind them.

Detect Identity-Driven Threats & Active Attacks

Prevention is a must, but prevention controls alone are insufficient to stop a cyberattack. Identity threats can bypass preventative controls to damage the identity infrastructure.

Identity Security Insights continuously analyzes and monitors vast amounts of data about user behavior, access patterns, common attacker tactics and techniques, indicators of compromise, and anomalies to automatically detect threats driven by the abuse of identities, privileges, and identity infrastructures. When new attack methods emerge, Identity Security Insights' AI/ML models automatically adapt to detect modern attacks.

Respond to Identity-Driven Risks & Threats

Compared to other types of threat response approaches, ITDR requires much more interoperability with IAM tools. Identity Security Insights plugs and plays with your existing ecosystem like SIEM, SOAR, ticketing, and collaboration tools via direct integrations and webhooks for streamlined incident response and faster resolution. BeyondTrust customers can also leverage integrated PAM controls from Identity Security Insights to take swift and effective actions to contain and remediate identity and privilege-driven threats.

October 2, 2023, Identity Security Insights detected an attacker trying to access an internal Okta admin account with a valid session cookie stolen from Okta support. We then alerted Okta to the breach nearly three weeks before their public acknowledgment.

What did Identity Security Insights detect and alert on during the attack?

• Okta session hijacking

• Okta user performed administrative action using a proxy

• Okta admin privileges were granted to a user

• Okta password health report generated

• Okta user with some level of admin access uses MFA vulnerable to SIM swapping

How did BeyondTrust successfully defend against the attack?

The Okta administrator’s account was protected with FIDO2 authentication, and policies within BeyondTrust’s Okta only allowed access to the admin console from managed devices with Okta Verify installed.

Our own instance of BeyondTrust’s Identity Security Insights, and tailored detections from our security teams, alerted us to several aspects of the intrusion. We immediately disabled the backdoor user account and revoked the attacker’s access before the account could be used and prevented any further actions.

Timeline of the attack and response

• October 2, 2023 – BeyondTrust detected and remediated identity-centric attack on an in-house Okta administrator account and alerted Okta
• October 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a compromise within the Okta support organization
• October 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why we believed they might be compromised
• October 19, 2023 – Okta security leadership confirmed they had an internal breach.
• November, 29, 2023 – Okta published an updated disclosure revealing the attacker had impacted all Okta customer support system users

Learn more about the attack and how to improve your Okta security:

Webinar: A Post Breach Analysis: Okta Support Unit, with BeyondTrust's Marc Maiffret, Chief Technology Officer; James Maude, Director of Research

Blog: Okta Support Unit Breach Update & Security Implications

Blog: BeyondTrust Discovers Breach of Okta Support Unit