What we observe 

At Quorum Cyber we deal with hundreds of incidents every year. And in every incident we encounter, whether small or large, there’s always one thing that is inevitably true: the incident will have – at some stage – compromised valid human and non-human identities.  

This constant threat looms over organisations, challenging their security and integrity. But with every challenge, and every threat, we believe there is an opportunity, a weakness that can be used against adversaries to defeat the threat.  

Given that most – if not all – attacks will rely on compromised identities, what if we could use the identity strata as a choke point to detect and contain all attacks, disrupting threat actors before they could do harm? 

Microsoft has built a plethora of robust identity security features, designed to safeguard against these very threats. However, because of the fragmented nature of these security capabilities, most customers haven’t implemented the full scope of the available identity security features. Most aren’t even aware of what is possible. The potential is vast, yet untapped, leaving organisations vulnerable to breaches that could have been prevented. 

We recently dealt with a perfect example. A customer reached out because of a breach of an administrative account with high privileges within a tenant. The account was protected with multi-factor authentication (MFA), however this account had SMS text messaging as the default authentication method. Some basic social engineering unearthed the account holder’s mobile phone number, and after a targeted SIM swapping attack, this account was compromised. On the surface, the organisation thought it had done everything right by having MFA in place, but some authentication methods are stronger than others.  

Security implementation isn’t an out-of-the-box, plug-and-play exercise; good security is an ever-evolving process that requires frequent feedback and analysis to ensure that it is fit for purpose.  

What we feel and the price we pay 

The frustration is palpable. As security professionals, we are tired of walking into incidents that could have been prevented with the features that were available but not enabled. It’s a recurring nightmare, one that highlights the disconnect between potential and reality; the tools are there, the solutions are built, yet the implementation lags, leaving a gap that malicious actors are all too eager to exploit. 

This is the price we pay when implementing cloud security technologies. The rate of change and innovation is constant. There’s always wiggle-room to improve security posture using the latest and greatest features, and conversely, by shedding outdated or less secure methods quickly.   

What we decided to do about it 

Quorum Cyber’s managed services already have robust protections in place, powered by a combination of signals from Azure, Entra, and Defender for Identity. Our vast catalogue of analytics identifies contains and stops identity-based attacks at lightning pace. To better support our customers’ approach to being proactively secure, Quorum Cyber began offering customers new services that focus exclusively on securing identities, and the underlying identity platform. Our approach is twofold: proactively hunting for identity issues and reactively disabling attack paths. By creating a chokepoint through high-quality detection and disruption, we aim to go deep on identity telemetry, ensuring that threats are identified and mitigated efficiently.  

Quorum Cyber recently obtained the Identity and Access Management Security specialization from Microsoft. This completes the set that security partners can achieve, joining our existing specializations of Cloud Security, Threat Protection and Information Protection and Governance. Obtaining this specialization required Quorum Cyber to demonstrate repeated customer success stories focused on Entra ID and the security features within it. This recognition from Microsoft is proof that Quorum Cyber is a leader in providing identity-focused services via Entra ID to the enterprise.   

Examples of engagements and customer journeys 

Our journey towards enhancing identity security is enriched with diverse engagements and customer journeys. Each step we take is a testament to our commitment to securing identities. 

Conditional Access Hygiene 

Maintaining Conditional Access Hygiene is crucial in preventing unauthorised access. Our efforts in this area have helped numerous organisations strengthen their access controls, ensuring that only authorised users can access critical resources under the right circumstances. Misplaced exceptions, missed cloud apps, and contradicting policy settings are all frequent discoveries when performing these assessments in the customer’s environment.  

MDI deployment and reviews 

Although deployed in all our managed services customers, Microsoft Defender for Identity (MDI) still has a small install base across customers not in our care. Securing on-premises Active Directory identities should not be a blind spot customers have. When we begin working with those who don’t have Defender for Identity deployed, we immediately suggest that we run through a deployment exercise. Through comprehensive MDI deployments and reviews, we have been able to prevent privilege escalation and lateral movement within networks. This proactive approach has significantly reduced the risk of internal threats and enhanced overall security. 

Privileged accounts, groups and guest-access reviews 

Maintaining access control hygiene is imperative to ensuring that the blast radius of a potential attack is minimised as much as possible. We’ve conducted dozens of reviews focused on the built-in administrative and privileged roles available in Azure and M365, guest and external collaborator accounts and cross-tenant collaboration settings. There’s not been a single review performed where Quorum Cyber hasn’t identified a stale account in one of these areas, which could be ripe for an attacker to exploit. Why go through the struggles of exploiting a zero-day vulnerability when an account is wide open for compromise instead?  

The end game: ITDR 

The ultimate goal of our efforts is Identity Threat Detection and Response (ITDR). This gold-standard managed service is designed to deploy and maintain all security capabilities to the highest standard as well as ensuring the integrity of the tools and features. It goes beyond mere prevention, focusing on the proactive detection and hunting of identity security incidents. ITDR represents the pinnacle of our commitment to securing identities, ensuring that organisations are protected against even the most sophisticated threats. 

We’re working on offering even more comprehensive identity-focused services in our portfolio, delivered through professional services and managed services. We aim to be leaders in ITDR services, and so being a Quorum Cyber customer will give your organisation a head-start in securing all your digital identities and the utmost level of trust that your access pathways will only authorise authentication requests to those you want to.  

Contact us 

Please contact us if you wish to discuss any aspects of your cyber security or data security.