Now that Ignite is over and everyone has managed to recover from all the announcements and end-of-year craziness, it’s time to have a look at what Nicolas Blank and I covered during the webinar that we did in November 2024.
Throughout the year, ENow has been committed to helping organizations worldwide examine what applications they have in Entra ID. As ‘season 2’ of ENow’s Application Governance & Security webinar series closes, we felt it was the right time to investigate how to weigh enterprise applications adequately. After all, you need to make sure that your applications are governed and secured so that you mitigate the risk of being compromised.
Let’s start at the beginning:
I can hear people saying “Well we are fine. We know what applications we have in our organization. We have worked through the Microsoft Secure Score, and we are in the upper 80%, so we are good!”
I applaud customers for doing that. It’s vitally important and it’s a great start, but over the last year, Nic and I have been talking about everything that lives in Entra ID. Your Microsoft Secure Score is quite broad. In addition to the Identity piece, it covers other categories such as Device, Data, and Apps. While this can offer some valuable insights, often organizations need to dig deeper in the Identity space. Why? Because applications live in Entra ID. Identities access these applications and more importantly, not just user accounts, but service principals and managed identities. Why? Because they all live in Entra ID.
Figure 1: Al’s unofficial view on the current state of security
As much as Microsoft is doing in the space, with the announcement of:
The single biggest issue today is still phishing attacks. Why? Because humans are behind identities, and they are fallible. This means that we can also make mistakes around what our applications do inside of our environment.
So, how do you prepare yourself, equip yourself, and most importantly, protect yourself against these threat actors (well, protect your environment from threat actors)? It's simple really, we must start at the beginning. We must understand what those tricky nefarious characters do. We need to get inside the mind of a threat actor.
Figure 2: The Cyber Kill Chain (CyCraft Technology Corp, 2021, Creative Commons)
Before a hacker does anything with your environment, once they’ve compromised an account or identity, they spend a lot of time understanding your environment. According to IBM, it takes organizations an average of 204 days to identify a cyber breach, with an additional 73 days to contain a breach. That’s more than half a year!!!
That means hackers have been “living” inside of your environment, monitoring, watching what happens. And quite frankly, that’s scary.
And it's because of that we have decided to give you a simple method to follow, when working through those applications that live inside of Entra ID.
Now, we haven’t just randomly made these things up. For those that are familiar with the MITRE ATT&CK®; it’s a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
What this framework gives you is a blow-by-blow approach to not only understanding the tactics of hackers, but also how to go up against them, using their methodology.
We took their recommendations and distilled it into 4 components.
Figure 3: R.E.A.D. Discovery
R – Reconnaissance
This process involves looking at what sort of possible scanning a threat actor could perform against your environment, and what information they would be able to extract from your tenant. Doing this will give you a view of the possible data an actor can access. You want to prohibit that. Think of it as a maze that you are tracking to see if you get to the exit.
E- Execution/Exfil
For those actors that want to destroy and not just exfil your data, it becomes vitally important that you are able to recover from any malicious intent the actor may have. Think “Disaster Recovery” but for the modern age, using traditional methods. Considerations include making sure that you have a “break glass” account, a backup that is not accessible by any identities so that you can in fact protect it properly, should you need to recover from a catastrophic failure. Ergo, your entire estate has been deleted.
A - Access
This is exactly like the board game “Cluedo.” Who has access to what, how much access they have, across how much of your environment. E.g. If an account has access to a managed identity, it means that whatever that identity has access to, so does that account. Heaven forbid, the account that has been compromised has privileged access, because that is an entirely different problem you will have.
D - Defense/Discovery
If an actor had to get into your environment, do you have the necessary records in place to detect him/her as well as being able to make sure that he is trackable? Yes, logs. Logs, lots of logs. Logs become your friend. Not only will you be able to find out how they got in, so that you can close that door, but also what they have done, while they squatted in your environment.
For a comprehensive list of tactics that actors use, head over to the Enterprise Tactics page over at the MITRE ATT&CK® site.
Figure 4: Enterprise Tactics from MITRE ATT&CK® site.
Once you have mapped out what this “attack surface” looks like, it will give you a birds-eye view of what your world looks like to a threat actor. And with that view, we’ve used the same R.E.A.D. symbols, to help you assemble “turrets” like we all did in Warcraft, so that we can protect our world.
Figure 5: R.E.A.D. Actions
In very much the same way as the discovery phase, once you “know your bases,” you can start closing all the possible holes in your environment. Like Nic always says, “Assume Breach” and “Prepare for Breach” should be what you are focusing on, all the time.
R – Restrict
It's in the word. This is where you start focusing on restricting access to resources in your environment. Whether at a network layer level or restricting access to privileged accounts through Privileged Identity Management or Just-In-Time/Just-Enough-Access Management.
E – Encrypt
What we have seen in Europe mostly is that threat actors would exfil your data, stick it in a storage account, and then encrypt it while charging you 4% of your annual turnover to decrypt and hand your data back to you (GDPR 101). So, ensure that your data and backups are encrypted so that even if an actor gets in, they cannot encrypt your data.
A - Access Control
Access and Access Control are two different things. Nic and I have mapped out Authentication and Authorization in one of our previous episodes, but what this means is that you should be looking into locking down access and authorization to your estate. MFA, please people, everyone. 2024 was the year for us to say that. We will no longer be saying it in 2025. It is a fundamental thing. Please do not make us go there. Embrace Conditional Access. This is, after all, your biggest risk evaluation engine.
D – Defense
Telemetry data, like in Formula 1, is equally important here. Your Security Operations Center should be monitoring every event happening in your environment, from day 1. Spend time understanding what signals are good and bad. Then build up your defenses to combat any attacks that may occur.
Again, we did not make this up; we just made it easier to understand. Head to the “Enterprise Mitigations” page on the MITRE ATT&CK® site.
Figure 6: Enterprise Mitigations.
And that is it, my friends. That is how we close off Season 2 of ENow’s ongoing passion for helping people, communities, and organizations across the globe improve their overall identity and application security posture. They are relentless. If they must go door-to-door to get you to start taking these things seriously, they will.
In closing, our thoughts on the matter.
Figure 7: Closing thoughts
Applying the R.E.A.D Discovery method to govern and secure your applications mitigates the risk of being compromised. Using the R.E.A.D action steps are a great start to protect your environment from threat actors. For more information, you can watch the full webinar How to Risk Profile Your Entra ID Enterprise Apps on-demand.
If you're looking for an easy button to identify Enterprise Application risks in your Entra ID tenant, request your free AppGov Score here. And get ready for Season 3 of AppGov Webinar Wednesdays; we have a lot more info and guidance to share.