One lesson I hope Midnight Blizzard drives home is that the identity-as-perimeter principle is not vendor marketing fluff. If your focus is still (primarily) on the endpoint, consider carefully: these kinds of attacks neither touch devices nor trigger any device security controls, until it is way too late.
I’m not saying endpoint security isn’t important. I’m saying that it is not the fulcrum around which you should be building. You’ll miss a lot if you do.
Cloud/app/identity security feels miles away from the infra + network world that many experienced security folks are used to. Cloud and cloud-native app skills do not typically live in the CSO’s org, and it is also miles away from the traditional IAM world, where people are still trying to hook up legacy on-prem identity tools to the cloud. Not because they’re bad or dumb but because it’s the world they understand (and the one they have funding for).
Attackers know that most orgs have few competencies in these areas. And between you and I, we also know that your org is (probably) engaged in a political fight right now over how the lines on the org chart should be re-drawn, to address these and other net-new risks. My advice: rip the plaster off quickly. Core security-critical shared services such as network and identity MUST live under the security org. It’s 2024 not 2014.
And you can’t wait for “the business” to drive it, either…security must lead.
[PS, by “lead” I don’t mean “get in the way”. I mean proactively enable the org with solutions that are both modern and secure. If you’re successful, it will make security invisible, yet more effective.]
The good news, as I shared in my previous post on Midnight Blizzard, is that the technical controls to protect, detect, and respond in these areas have been around for a while. While there are no silver bullet tech solutions (for anything in security, no matter what vendors tell you), you absolutely do not need to be a victim here. But you can’t get there with traditional tools and ways of thinking.