The keys to detecting cloud identity threats

Lacework EditorialMay 31, 20235 min read

While cloud identity architectures play a crucial role in managing and securing user identities and their access to cloud resources, they present a significant security risk today. More than 50% of cloud identities have super admin access and 80% of machine identities in the cloud are inactive. This overprovisioning of credentials and accounts creates an environment in which cybercriminals can easily operate.

Sounds like cloud identity architectures are in need of a little spring cleaning!

However, managing these accounts and permissions is no walk in the park. Larger organizations often have thousands of human and machine identities, each with thousands of granular cloud entitlements. And while automated cloud infrastructure entitlement management (CIEM) is essential for getting to a least privileged state, it’s simply not enough to prevent an identity-based attack.

Here are a few steps you can take to identify and address cloud identity threats: 

Identity is the new perimeter

Public cloud environments are far more accessible than traditional on-premise environments that sit behind a network perimeter. Because of that design, identities now play an outsized role in securing clouds. Organizations must apply the principle of least privilege, reduce their attack surface, and limit the number of identity-related vectors that bad actors can exploit.

There is also good reason to believe that identity threats will persist, given the active black market for stolen credentials and the increasing number of known attacks against multi-factor authentication (MFA). According to Verizon, 82% of recent breaches involved the “human element,” defined as compromised credentials, phishing, misuse, or simple mistakes. 

While 100% prevention should always be the goal, it will likely never be the reality. Organizations must be prepared to find and fix a breach once it has occurred.

As part of a defense-in-depth approach to cloud identity security, organizations must actively monitor what users, services, and applications are doing with their entitlements. In this way, unusual behavior that may be a sign of an attack or unknown threat is better visible and actionable.

Continuous monitoring is no easy task

While a least privileged approach helps reduce the cloud attack surface and limit the blast radius of an incident, it does little to help strained security teams discover in-progress attacks or insider threats from accidental privilege abuse. 


More than 50% of cloud identities have super admin access and 80% of machine identities in the cloud are inactive.


But gaining the necessary level of visibility to help broaden the defense spectrum is challenging. Continuously monitoring user and machine behavior can be complex, labor-intensive, and expensive. It requires collecting, correlating, and analyzing massive amounts of log data from services like AWS CloudTrail to understand events like API calls and failed authentications. Teams must also consider workload data that details what processes are running, who hosts are talking to, and more. 

Once all of this data is collected, managing the workload can create further backlog, as  manual correlation of the feeds is simply not an option.

Detect cloud identity threats at scale

Many organizations monitor log data using a security incident and event management (SIEM) solution. However, SIEM solutions simply are not scalable with the cloud. These types of behavioral monitoring solutions rely on rules to detect anomalies and suspicious activity. Enterprises spend hours each day writing and maintaining endless rules, which may be outdated before they even go into production. Rule maintenance also requires deep security and cloud expertise — something that is difficult to find.

The Lacework Polygraph® Data Platform is the first and only rules-optional solution that detects anomalies — including elusive zero-day threats — without the need for manual configuration or new rules each time a new cloud service is adopted, new applications are used, or new connections are made. 

In a typical attack, the behavior of the user, application, and/or service deviates from normal observed behavior. Our platform uses deviation from a temporal baseline to detect changes in behavior and activity, then automatically scores alerts based on severity and threat. Because Lacework never stops learning, it can quickly detect any attack by discovering new users, services, behaviors, processes, or connections. This is far superior to a traditional security approach, which would look for a rules-based condition — rules that are very difficult to write but very easy to fool.

Our ability to understand what your users and machines are actively doing without rules dramatically reduces the number of alerts on the order of 100 to 1.


Our ability to understand what your users and machines are actively doing without rules dramatically reduces the number of alerts on the order of 100 to 1. Fewer alerts to triage can reduce engineering workloads, and highly contextualized alerts empower teams to rapidly prioritize, investigate, and respond to issues faster.

Consider identity threats based on MITRE ATT&CK 

Another effective way to understand and categorize identity threats is to connect them to the MITRE ATT&CK® framework. ATT&CK defines a number of tactics and techniques that adversaries use to attack systems and data. Tactics, within the ATT&CK framework, represent an adversary’s objective for performing an action (e.g., establish persistence); techniques represent how an adversary achieves their objective (e.g., create new accounts).  

Our platform detects a number of cloud, container/Kubernetes, and host identity-related techniques that organizations should monitor for, including but not limited to:

  • Use/abuse of compromised credentials within existing accounts
  • Mistakes made by authorized users
  • Abuse of administration services to execute commands within containers
  • Accounts created by adversaries to establish persistence
  • Modifications to authentication mechanisms and processes to bypass access controls
  • Brute force techniques to gain access to accounts
  • Adversary attempts to discover cloud infrastructure and resources

Through continuous monitoring of user, application, and service activity, organizations can more accurately detect these sorts of unusual behaviors, malicious activity, and unknown threats that may signal initial access, lateral movement, privilege escalation, or any number of identity-related threats.

Simplify cloud identity management with Lacework

Lacework simplifies cloud identity management by empowering teams to both prevent cloud identity risk exposure and detect identity threats within a unified framework. By combining identity threat detection with cloud security posture management (CSPM), CIEM, and attack path analysis, the Lacework platform gives customers a clear understanding of their cloud identity architectures, visibility into cloud identity and access management (IAM) misconfigurations and exposed secrets, and continuous discovery of identity threats as they unfold.

With Lacework, teams gain the visibility and context necessary to quickly identify, prioritize, and respond to identity-related attacks, without the need to write and maintain endless sets of rules. At the same time, teams gain sight into identity risks and misconfigurations and can take action without fear of slowing developers or breaking applications in production.

To learn more about how Lacework monitors user and machine behavior and helps discover unknown identity threats, watch our on-demand demo.

Suggested for you