Data breaches due to an increase in Digital Transformation across industries are proving to be costly to remediate and adversely impacting brand reputation. As per Cost of a Data Breach Report 2022, the use of stolen or compromised credentials remains the most common cause of a data breach. Breaches caused by stolen or compromised credentials had an average cost of USD 4.50 million. These breaches had the longest lifecycle — 243 days to identify the breach, and another 84 days to contain the breach. Hence customers are looking for visibility into suspicious traffic coming to their tenants and take proactive action to avoid Identity-related attacks. Identity-based attacks also include continued resource attacks through numerous login attempts and second-factor attempts. Organizations must remain alert and aware, 24x7, creating much consternation and discomfort for teams protecting these resources.
Because of these threat vectors and organization concerns, IBM Security Verify introduces a feature to analyze traffic across all tenants to detect indicators of compromise and anomalies for identity-related attacks such as Brute force, Credential Stuffing attacks, Login deviations, and soon more to come. These alerts will provide visibility into suspicious traffic to the organization's identity and access management (IAM) admins so that they can take proactive remediation actions such as blocking an IP address or disabling the user account(s).
The threat intelligence feature is currently a beta for customers and partners interested. More details on how to request access to the beta can be seen at the end of this blog.
IBM Security Verify Threat Intelligence powered by IBM Security X-Force
To understand this new feature, let’s go into more detail on how IBM Security Verify helps organizations secure their organization against large-scale identity-based attacks.
Whenever a request comes to Verify, it is first analyzed at the Edge to block suspicious traffic to prevent attacks like Command Injection, Cross Site Scripting (XSS), DDOS, Invalid HTTP, PHP Injection, Remote File Inclusion, SQL Injection, Trojan, etc. With an edge security solution, Verify also uses Geolocation/network policies to secure Infrastructure. This includes Web Application Firewall rules, IP/GEO Firewalls rules, DOS Protection based on rate limits per IP, and Client reputation based on the WAF service used by IBM Security Verify, providing visibility into prior behavior of individual and shared IP addresses. It is designed to stop malicious clients before they can attack (planned).
It also has a Bot Manager to detect BOT traffic based on end-user behavior. Additionally, custom rules are defined by IBM to deny some type of unwanted traffic that does not fall under any of the standard protections provided by the WAF service used by IBM Security Verify. This capability in IBM Security Verify has existed for years and is not new.
The security detection and response team at IBM Security Verify keeps an eye out for threats and suspicious activity across its ecosystem of thousands of customers and partners, and it responds by taking appropriate action. Known malicious IPs are added to a blocklist at the edge layer along with various security controls covering encryption, tenant data security, network segregation and security, and more. This prevents access from these IPs to any Verify tenant.
The next layer of defense is the Threat Analyzer which analyzes incoming traffic to detect potential identity-related attacks such as Credential Stuffing, Brute force attacks, Login deviations, and more to come soon. It also leverages threat intelligence from IBM Security X-Force Exchange for IP addresses about reputation and historical data of activities such as malware, bots, and more. IBM Security X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence, and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats. This is the new capability discussed in this blog.
The additional value of this capability is threats are identified across all IBM Security Verify tenants. So even if your organization was not affected by the threat, your organization could still harness the threat analyzer to proactively mitigate the attack with IBM Security Verify’s Threat Intelligence.
Once it is confirmed that traffic is not suspicious then it goes for Pre-Authentication checks. It includes checking if the incoming credential is a common password or a previously compromised credential. If this check is passed, IBM Security Verify applies access policies to determine if the request should be allowed/blocked or if further verification is required.
More to come on this in the near future.
This consists of the capabilities in IBM Security Verify today, which include access policy authoring based on user attributes and context such as location, extensive MFA options, and risk-based authentication that dynamically checks user behavior, user location, device posture, and more to define and attribute a risk score in real time to trigger access policy rules.
The risk-based authentication capability is Adaptive Access. MFA options include SMS/Email OTP, TOTP, and IBM Verify Authenticator app (ex: push, user presence, and biometric). Passwordless options also include QRCode and passkeys (FIDO).
Call to action
The beta for Threat intelligence will allow organizations to experience the Threat Analyzer through events generated by IBM Security Verify as threats are identified. The initial beta will be for customers and partners with IBM Security Verity tenants in the United States and Europe regions. Additional regional expansion of the feature will roll out in the coming months.
Once the beta feature is enabled, threat events generated by Threat Analyzer can be reviewed by IAM admins or they can be sent to the external SIEM solutions for extended threat detection and response. This will help customers to get visibility into suspicious traffic so that customers can take proactive actions on them to secure their organization against large-scale identity-based attacks.
In the near future, IBM Security Verify will allow IAM admins to define first-factor Threat Intelligence rules that allow immediate remediation using the IBM Security Verify access policies. This will include being able to block suspicious IP addresses for 1 hour and/or obtaining an alert, similar to the events being emitted as part of the beta.
If you want to know more about Threat Intelligence in IBM Security Verify and wish to sign up for the Threat Intelligence beta, reach out to Priti Patil (firstname.lastname@example.org) or Milan Patel (email@example.com)