Realizing Identity Security Posture Management with RadiantOne

My name is Wade Ellery. I’m the Chief Evangelist and IAM Strategy Officer at Radiant Logic. I’m joined today by Akshay, our Vice President of Solutions Consultants. We’re going to talk to you about realizing identity security posture management with RadiantOne, or how I learned active threat prevention in kindergarten.

The kindergarten reference is basically just some proverbs that I learned as a child. The key one we’ll focus on today is “a stitch in time saves nine.” We’ll talk about why doing things up front is actually going to protect your environment and save you a tremendous amount of additional work and effort in increasing your internal security. There are other proverbs on here. “Garbage in, garbage out” is probably one we’ve all learned in the IT industry, where identity quality and the data of the information coming into the system really controls the quality of the data coming out. That’s going to be a focus also of what we’re talking about today.

So why are we focusing on identity? Well, identity is the last defense against breach, but it is failing. If we were properly managing breaches right now, if we had our infrastructure properly built, everything was configured, and if we had the right tools in the right place, we wouldn’t be seeing almost daily announcements of major breaches. In fact, just today, Qantas Airlines announced that they had been breached, or one of their third parties who had a lot of their customer data; six million accounts had been breached. This kind of breach is actually happening because you no longer need to attack a network; you simply need to log in to get onto a network. Logging in is compromising an account.

It’s not just users today, but it’s also service accounts, local admin accounts, shadow accounts, non-human identities. As agentic AI starts to take off, and believe me that is all I see now in my webinar broadcasts, it is going to flood the space with more points of compromise on the network because these applications are actually accessing other resources and using that technology to perform critical operations on the network. We have to get our hands around that.

Unfortunately, identity and access management, the traditional tools for running and managing identity, are not enough. This is a slide I borrowed from Miguel Furtado at Ascension. He is basically calling out here that identity access management is plumbing. ISPM, what we’ll focus on today, is leak detection and flow control. You need plumbing to do your basic jobs—to take a shower, to wash the dishes, to do all the things you need water for. But what we’re trying to prevent here is a leak causing a flood that’s actually going to compromise the home. That’s what we’re looking at and dealing with today.

So how do we address that? We address that with the concept of identity security posture management. This is focusing on identity itself: the attributes, the objects, the users, the accounts, and controlling that information in a way that adds to security. Managing identity sprawl—your identities are everywhere. They’re scattered. Very few times do you really get your arms around all the identity in the infrastructure. When you don’t, you’re leaving vulnerability.

Identity security is critical. This again is what’s being compromised. This is where we need to shore up our defenses. Identity hygiene plays a major role because this is how you actually make sure your identity data is pristine, accurate, complete, and managed, and if something changes you can actually back that change off in real time. This is all part of identity security posture management. It’s not a project, it’s not an application, it is a journey, it is a lifestyle, it is a way of managing your environment going forward that will prevent your potential compromise and give you control over breaches in your environment.

So where does this operate in the infrastructure that you’re running today? Across the top, you’ll see all the applications you’re familiar with: my access management platform, my governance platform, my privileged access account management platform, my runtime authorization, which is your zero trust policy-driven access control that is becoming more and more a component of the identity stack. These are all consumers of identity data. They need that data to do their jobs, but they are not the stewards of that data. They’re just consumers.

The identity data across the bottom lives in lots of different places in your organization in many different formats, protocols, structures, and different identifiers for me across multiple applications. Something needs to bring all that information together, gather it, normalize it, correlate it, aggregate it, and then serve that data up just as it’s needed to all the applications that need to consume that data. So you have one source of truth that’s operating now with the full functionality that’s necessary to deliver that data to each of these applications as they need it.

This spans a number of areas of critical importance. Basically, blind spots are the vulnerability within the organization. Where you can’t see your data and a bad operator can, he’s going to compromise that orphaned account. He’s going to gain access to an unmanaged non-human identity. He’s going to do something to compromise your environment in the shadows. You want to shine light in the blind spots. You want to use AI to help you because this is too big a problem for human beings to wrap their head around. There’s too much information. It’s too difficult to correlate. It’s too difficult to find anomalies when you’re doing this with spreadsheets.

You need to bring AI-powered intelligence to bear to give you the ability to deal with the scale of this operation, because you want to uncover those hidden risks. You want to be able to find those anomalies, those dormant accounts, those situations where over-privileging has taken place and no one’s been able to clean it up because nobody knows it’s over-privileged. Really applying these tools to that environment gives you the ability to find the problems. But locating and identifying the problem is not enough.

You need to mitigate that risk. You need to address that issue. You need to fill in that missing information. You need to verify the data is accurate. You need to delegate it to the person who understands and knows the system so they can validate and take ownership for the resources that you’re managing. Now, this is all part of what Radiant Logic delivers, as we’ll see in a little bit when Akshay actually demonstrates the product. This is a thin slice of a very large cake of Radiant Logic capability.

We have capability today—and we’ll focus against observation, policy enforcement, remediation—but there is infrastructure enablement, governance, compliance, and risk management. There are so many areas that Radiant Logic has an impact as that layer between the sources of identity and the consumers. So if you have ten hours, give us a call. We’d be happy to sit and talk to you about all the things Radiant Logic can do, or understand your particular use cases in particular and then help you figure out how we can help remediate the risk.

So let’s take a look at the anatomy of a common breach. Think of this as a flight log or a black box readout on what happened when a system got breached in a large organization. You’ve got an IGA platform, it’s fully deployed, it’s very mature, it’s doing a great job. It kicked off last night at one in the morning and at six-thirty am it’s done rebuilding all of its information. It’s run its controls, everything looks great.

At nine fifteen, the hacker shows up. He’s a little bit late because he likes to have his coffee and his croissant before he gets to work. He runs his automated AI-driven attack tools and he gains access to the ACME domain. Remember, he doesn’t have to compromise a firewall. He doesn’t have to bust down a lot of sophisticated systems. He just has to log into an account, stuff some credentials, hijack some permissions, intimidate some help desk person—somehow get access to that account, which apparently is working very frequently.

Now that domain is compromised. So what does he do with that compromise? He picks a regular old Amelia Taylor account, which is not a sensitive account. It’s not a privileged account managed by a PAM system. It’s just a regular old account Amelia has, but he needs to now elevate that to give it access to sensitive resources. She doesn’t have that permission today. She’s not managed by PAM. So he’s going to add her to a particular group that gives her access to more sensitive resources.

Amelia’s account now has group permissions to access these sensitive resources. The hacker is going to log in to the domain with Amelia’s account with elevated access, and off he goes, starting to gain access to sensitive data. He starts transferring the data. In about an hour, he has a terabyte and a half of sensitive information. That may be proprietary company data, it may be customer data, it may be your internal employees’ information. There’s a lot of important data on your network that’s vulnerable.

One point five terabytes in an hour is actually twice the time it took a recent hacker to get that much data out of a UK company that was compromised. The ITDR team was chasing this person through the network trying to stop them, but he was so quick he got in and out before they got done trying to remediate him. So the hacker logs out of Amelia’s account. He removes Amelia’s account from the privileged group. He doesn’t want to leave any evidence behind. If he’s really good, he wipes the logs. He logs out and he’s gone.

At one o’clock in the morning the IGA system kicks on. It does this refresh of the identity data, it runs all its policies, and it says, “You know what, everyone looks fine to me. No anomalies, no problem, nothing to see here.” And this person actually compromised that account and got away with it. This is normal operating business today in a world that doesn’t understand real-time change detection and real-time remediation in the risk model. It’s not anybody’s fault, it’s the world we built, it’s the world the technology could support.

We have really strong IGA implementations that are managing privileges, least privilege, role-based access control, all the good things we’ve built over the years and invested in. We have different directories, databases, and applications that access management uses to query and authenticate a user in real time and gain access to a resource. But there’s nothing here monitoring and managing this particular flow in this particular model and understanding if identity data is being compromised and being used in a way it’s not allowed.

So when you layer in RadiantOne, when you bring Radiant Logic into the mix and you connect it to recognize what the IGA platform is doing and what roles and access people should have, to monitor the directories and databases and applications to see what information is changing in those systems and whether it’s coming from an authorized source, and to talk to the access management layers, you can actively interact with active sessions when necessary to protect the applications and understand the actual entitlements that give access in those applications. When you have observability, real-time policy enforcement, active remediation, and a shared signals platform with RadiantOne, now you have a fighting chance.

So let’s take a look at that breach now from another angle. All the first seven steps are pretty much the same. The person got in, compromised Amelia’s account, and gave it privileged access through a group. But RadiantOne’s policy enforcement catches that out-of-band privilege elevation. Amelia’s account has group permissions to access sensitive resources, but RadiantOne’s policy has recognized that she’s gotten out-of-band access.

When the hacker attempts to access a sensitive resource with Amelia’s account, the session is going to be revoked in real time through a shared signals framework. This is a communication protocol. It’s a standard protocol used today for identity management components to communicate with each other. Radiant Logic has real-time data that there’s been a compromise on Amelia’s account. She has an open session in Okta. We send the signal to Okta saying, “Warning, you may want to revoke this particular session because this account is no longer secure.” Okta can do that based on that information, and we’ll see that immediately stop the hacker in his tracks.

The automated policies in Radiant Logic also boosted Amelia’s risk score from ten to fifty. So if the attacker now attempts to log in again, hoping he can gain access and compromise the system in another direction, even though Amelia’s account has elevated privileges, that access is now going to be denied because that access is now based on group membership plus risk score, and risk score is now out of parameters. This is also a piece of the infrastructure and safety mechanism that the hacker can’t get to. He doesn’t know where that risk score is being set. He doesn’t know what mechanism is being used. He knows he can add this person into a group to gain access; he doesn’t understand why it’s failing.

The elevated risk score is going to prevent him from successfully logging in to the domain. Without domain access, he can’t get access again to sensitive resources. He’s going to create a backdoor account because he wants to come in later; he’s frustrated, he’s going to do some more research. Radiant Logic detects the backdoor account that’s been created, alerts on that so people are aware and can remediate that. The hacker gets out of the system because he’s getting nervous after two hours.

Now the Radiant Logic administrator can remediate Amelia’s over-privileged account, eliminate the backdoor account, log all this information, and report it to the NOC. At one am, when the IGA system rolls over again at night, it’s going to recognize no anomalies, no problems, nothing to see here, nothing happened on its watch, because it missed it completely—but Radiant Logic didn’t.

Now let me give you a demonstration of this happening in real time. I’m going to bring in Akshay and let him show you with the application running itself. We’ll get this on full screen so you’ll be able to see Radiant Logic actually working through the steps we just talked about. I’ll let Akshay explain this as it goes forward.

All right, thank you so much, Wade. In this demonstration, you’re going to see in real time how Radiant Logic can protect your Active Directory environment from any changes that are out of band. It can do three things. One, it can observe the data and identify any risks that exist and increase or reduce the risk score for the user. Two, we don’t want to just show yet another dashboard; we want to remediate these out-of-band provisioning events in real time so that elevated access or additional accounts that are created by the hacker do not exist in your ecosystem anymore. Three, we’re going to send signals out to Okta to revoke sessions as well as protect legacy applications like your LDAP.

Again, this is not specific to Active Directory. You could have ServiceNow, you could have your IDP— all of those systems can be protected using Radiant’s security platform. In this case, we have Amelia Taylor. Her account looks good. Her risk score is ten, which is way below the threshold for the security policy. Amelia has two access points: one is her LDAP application that she uses for productivity, and also a modernized IDP-initiated application, which is protected by Okta as the IDP.

Amelia, as you can see, is able to authenticate because her risk score is way below the threshold according to the policy. The same way, there is an IDP-initiated application, which is protected by Okta, so Amelia is able to log into Okta, which in turn gives her access to the application. We want to showcase the breadth of not just protecting your modern applications, but also your legacy applications that are currently authenticating against your domain. We want to showcase the power of the utility, which is the real-time component.

So Amelia is looking good. Amelia is able to log into both these accounts. Now what happens is the user is being compromised. Amelia’s account is being added to a very sensitive group, which is Research and Development, by a hacker. Through this new elevated permission, the hacker is able to access the application and cause big damage to the organization.

But what does Radiant Logic do? It immediately identifies and observes that this is an out-of-band provisioning event. It elevates the risk score for the user. As you can see, the risk score jumps from ten to fifty. Now when the user tries to log into the LDAP application that’s authenticating against the domain, the hacker is no longer able to authenticate. In the same way, when the user goes to an active session and tries to access the IDP-initiated application and clicks on something like “create a purchase order,” the session is automatically revoked.

The reason is Radiant not only protected the LDAP application, it also sent a signal back to Okta saying, “Remove all of the sessions that the user might have.” Now the hacker is getting smart. The hacker is trying to re-authenticate against the application that’s protected by Okta. But what did Radiant Logic do? When it sent the signal, it also sent a “disable account” signal back to Okta. So the user’s account is disabled because of the risk score, and the user is not able to authenticate against the application. The user is completely protected and the attacker is not able to access anything.

Now let’s go into the service again. We’re showing you what Amelia’s account looks like, what the access chain looks like. In this demonstration, this is more of a manual process. But in the real world, this will be automated and will be running in the background. You don’t have to move a muscle to protect your organization.

In this case, we’re seeing Amelia’s account and the 360-degree access. This shows everything that Amelia can access within your ecosystem. It’s showing the list of identity attributes. Specific to this use case, we’re seeing ACME as the domain and all of the permissions that Amelia has. The first two permissions look all right, but the third one is the sensitive one, which is Research and Development, which was added out of band by the hacker.

Now we’re going to show you the control that we created behind the scenes, which is constantly monitoring for any changes that might occur on these privileged groups, which are out of band. In this Research and Development group, we can already see that Amelia’s account was added as an out-of-band provisioning. Now we’re going to click on Amelia’s account and say, “Hey, this is out of band, so I’m going to remove this account.” This is the way Radiant performs remediation against the back-end system.

Now if you go back to Amelia’s access chain, you no longer see Amelia’s account added to the Research and Development group. In real time, we have remediated this account and also replenished the access chain of the user. Now Amelia’s account is completely restored, and that reflects in the risk score as well, because Amelia is no longer part of that sensitive group. When Amelia logs in the next day, her account is protected and the risk score is reduced.

In real time, Amelia is able to authenticate against the LDAP application because we’ve restored her account. At the same time, we’ve also sent a signal back to Okta saying, “The risk score of this user is now reduced below the threshold, so please enable the application within Okta so the user can authenticate against her user profile.”

So this is Radiant Logic protecting your identity data in real time, identifying any anomalies that might exist within your ecosystem, monitoring all the constant changes in entitlement provisioning, and making decisions and sharing signals out to external authentication providers like Okta and LDAP applications, and protecting your ecosystem—in this case ACME as the organization. Thank you so much, Wade.

Thank you, Akshay. That was excellent. I think it really does a great job of highlighting the capabilities to actually be able to do this on a real-time basis. As you mentioned earlier, the ability to automate those processes is key. You showed us the nuts and bolts of what was working behind the scenes. But in a number of scenarios, especially when you need to be able to react as quickly as possible, those tasks can all be done automatically. Alerts can be sent out so people can see after the fact what was stopped and what was remediated. That’s very, very powerful.

The really nice thing about the industry is that we are moving towards a “better together” scenario where Okta does a really good job of authentication, authorization, and application access control. When Radiant Logic finds an anomaly in the network that compromises security, we can immediately share that information with Okta over a standard protocol that Okta is built to understand and that we know how to speak. Working together allows both applications to contribute to an overall security profile that’s stronger.

The takeaway here from us is that today’s fight is taking place in real time. From my radio metaphor in the beginning, if we were winning the battle, then I wouldn’t be worried about trying to change the game, but we’re not winning the battle. We’re losing the battle, and we’re losing it every day. So we have to shift the paradigm. We have to escalate our responses ahead of those that are trying to compromise our networks and take advantage of our environments.

It’s becoming a lot more critical. It used to be about reputation: someone got compromised and then the company’s reputation went down. Then it was ransomware, taking money out of organizations. Those are all recoverable. But healthcare organizations in the UK recently had an affiliate that did blood tests, blood analysis, blood typing, and biopsies compromised by ransomware, and they were non-operational. They could not operate and provide timely responses for hospitals. A man actually lost his life because they could not type his blood properly and were not able to save him because of the compromise of that network.

So it’s not just money and time and reputation now; it’s human lives that are at stake. We as an identity infrastructure organization—and the identity community in general—really have an opportunity now to step our game up and protect reputation, protect money, and also protect people. We’re bringing these defenses into a real-time prevention and remediation mode. Again, this can be very automated. It’s definitely all visible as you see it go on, and as things happen they can be remediated and taken care of. It’s not just a post-analysis reporting tool; it is actually active.

Combine this with the ability to go in and do ISPM and really prepare and clean the environment and narrow down the attack surface and minimize the areas that can be compromised, and you’re going to have a very defensible environment. The best metaphor I have for this is: you don’t have to run faster than the bear; you just have to run faster than the guy next to you. You’re never going to be one hundred percent capable of preventing all potential breaches, but if you harden yourself to the degree that the hacker who came in gets frustrated quickly, he’s going to leave and go look for something else easier, a lower-hanging fruit for him. That’s the best defense you can give yourself today.

I want to thank Akshay for joining us today and presenting the product in real time. I think this is a powerful example of what can be done in modern technology today in the identity space, and we encourage you to contact your Radiant Logic account executive or reach back to us directly. If you have more questions, we’re here to help and show you how we can bring this to your organization today. Thank you very much, and we’ll see you on the next webinar.