Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta that may not be a case.

Every breath you take

Information security teams face a serious problem when they are unable to detect the presence of a threat actor inside organizational systems. Knowing who has access to key applications is an imperative for trying to protect the company, yet according to a new report published by Okta, 85% of IT and security decision makers in the UK, France, the Nordics, and the Netherlands cite a lack of visibility over who has access to applications.

If an organization can’t decipher who, legitimately, has access to critical business applications, it can’t reasonably expect to understand if outsiders (or insiders) with malicious intent are working inside those applications to steal, damage, or otherwise use private information for nefarious purposes.

Through a third party, Okta surveyed 300 IT and security professionals, and the result was clear: Lack of visibility into application access is the top IT challenge experienced over the past twelve months. Security team have a big enough challenge on their hands: all (or nearly all) of companies’ critical business information is stored in internet-accessible systems (and is thus vulnerable to an exploit); that pool of information grows bigger every day, and may be stored in offsite or cloud-based systems which may be unknown to or unmanaged by internal security teams; partner ecosystems are expanding rapidly; security teams’ staffing levels can’t keep pace with threats; and security budgets, though reportedly increasing, are not adequate to scale security solutions to levels needed given today’s threat landscape and frequency of cybercrime. On top of all of these challenges, without an understanding of who is accessing what data how, it’s nearly impossible for security teams to do the job of securing company systems and data.

Since you’ve been gone I’ve been lost without a trace

In a keynote at InfoSec World 2016, Marcus H. Sachs, SVP and CSO at NERC, presented a sobering talk on, “Do We Know What We Don’t Know?” If this new survey is any indication, the answer is decidedly “No.” Security teams regularly deal in a lot of unknowns; sometimes teams are aware of the problem (as in the survey data, above, and issues like shadow IT or zero-days), but often their hands are tied. If a security team doesn’t know a problem exists (like a cloud-connected application or a zero-day exploit), security teams must prepare as best they can, advised Sachs. For instance, security can understand weakness in the network, have a handle on the total number of “edge devices,” maintain a complete and accurate list of all users, and know the locations of all network connections. This takes a tremendous amount of work, to be sure, and if the report is any indication, IT and security teams aren’t yet doing the hard work required to ensure they have the required information. High costs of security solutions were cited by 74% of survey respondents as a barrier to achieving better security (and presumably more visibility into the issues), but are more tools the solution to the problem?

I dream at night I can only see your face

James Jardine, founder and principle consultant of Jardine Software says that for most applications, the problem is that no one is tracking access, not that access can’t be tracked.  “A system that is not connected to Active Directory often lacks processes to track terminations or other related events to users that should revoke access. Other applications allow clients to directly manage their own users.” A high number of factors which lead to lack of visibility into application usage exist, says Jardine, but it, along with logging and reporting to understand the demographics of users, can be done.

Every claim you stake, I’ll be watching you

Despite the complexity of managing access privileges, security teams need to put better processes in place. According to Jardine, security, IT, and application teams must work more collaboratively to identify user access events and correlate those with security monitoring tools already implemented. Most security teams already have the necessary tools in place—SIEMs, firewalls, logging and analysis tools—and won’t need to expend additional budget, removing the budget barrier from the equation.

Tidying up processes for tracking should be a top priority for organizations, given that the only way to defend against intruders is to know they exist in the first place. Even with—or perhaps because of—the budget and staffing constraints inherent in most enterprise security organizations today, tackling the “who has access to what” problem should be addressed forthwith; it’s one of the best ways to stop unauthorized access which will lead to larger problems down the security road.