The Downside: When Credentials Turn out to be the Crown Jewels
Two years in the past, an Okta worker saved their work credentials to their private Gmail account on a piece laptop computer. It appeared like a comfort to have fast entry to credentials throughout units. As a substitute, it turned the entry level for a breach that will have an effect on 134 enterprise prospects and ripple throughout the identification administration ecosystem.
Across the identical time, a LastPass engineer clicked on a phishing hyperlink, triggering MFA fatigue that led him to approve a suspicious authentication request. The attacker used this second to entry the cloud growth atmosphere and, from there, found {that a} senior DevOps engineer was operating an outdated model of Plex on his house community, a system with a identified vital vulnerability. By exploiting this weak level within the provide chain, attackers spent eight weeks undetected, residing amongst authentic visitors, extracting encryption keys and buyer password vaults.
These weren’t refined zero-day exploits. These had been identity-based assaults, assaults that leveraged the basic belief we place in credentials and authentication techniques.
The Evolving Risk: Identification Is the New Assault Perimeter
Attackers goal digital identities resembling customers, admins, providers, and machines that run trendy companies at this time. Attackers acknowledge that organizations depend on Energetic Listing, cloud IAM, and API tokens to drive each facet of digital operations. With only one set of credentials or an API key, adversaries can:
- Mix in with common consumer exercise and evade most safety controls
- Transfer laterally, escalate privileges, and entry delicate property
- Disrupt operations and launch large-scale ransomware assaults
A report from Cisco Talos reveals that:
- 60% of main incident response instances in 2024 featured an identification assault part.
- 44% of identification assaults particularly focused Energetic Listing, making it probably the most sought-after system for adversaries looking for full organizational compromise.
- 20% of identity-based breaches in 2024 concerned cloud purposes or service supplier APIs, a rising danger as organizations transfer sources and enterprise logic to the cloud.
The commoditization of the darkish internet’s identification market is fueling this epidemic:
- E-mail/monetary credentials, SSH passwords, and session cookies are actually marketed brazenly, with bulk lists of credentials promoting for as little as $10-$15 per batch.
- Subtle assault toolkits for concentrating on credentials are broadly out there, with subscriptions as little as $50 and as much as $750 for specialised instruments.
- Excessive-profile firm credentials are exchanged at costs between $1,000 and $3,000 per account.
Within the 2025 Magic Quadrant for Hybrid Mesh Firewall, Gartner explicitly identifies “identity-centric risk-based controls throughout community and cloud edges” as a key criterion for analysis. This represents a elementary shift in how the business evaluates firewall platforms. Firewalls can now not be evaluated primarily based on throughput, rule rely, or protocol help alone. Their potential to combine identification intelligence and implement identity-aware insurance policies is now a core requirement.
The Basic Failure of Conventional Approaches
So why haven’t organizations solved this drawback already? The reply lies in a elementary architectural mismatch between how trendy enterprises function and the way conventional firewalls had been designed.
Conventional firewalls suppose by way of community topology: IP addresses, ports, community segments, and protocols. When a consumer with legitimate credentials connects to the community, whether or not on-premises or from the cloud, the firewall sees a authentic connection. The firewall has no option to know whether or not these credentials are stolen, whether or not the consumer’s conduct is anomalous, or whether or not the account represents a compromised identification.
Trendy enterprises function via identification, not community topology: Workers work remotely from anyplace, purposes run in a number of clouds, customers entry a whole bunch of SaaS purposes, and machine identities (APIs, providers, scripts) outnumber human identities by a ratio of 82:1. The community perimeter has dissolved. Identification is now the brand new perimeter.
The siloed identification infrastructure compounds the issue: Many organizations have fragmented identification shops. Every system operates independently, amassing its personal information and making its personal belief selections. This fragmentation creates visibility gaps the place attackers can cover and stop the holistic view required to detect refined identity-based assaults.
Attackers are affected person {and professional}: They use toolkits to quietly harvest, escalate, persist, and evade, usually remaining undetected till vital harm is completed.
Case Examine: Scattered — The Human Aspect of Identification Attackers
In September 2023, the Scattered Spider group of about 1,000 younger English-speaking cybercriminals proved how devastating identity-based assaults will be. Utilizing social engineering, they impersonated MGM staff over the cellphone, tricked help-desk workers into resetting credentials, and gained entry to Okta and Azure AD and not using a single exploit or phishing hyperlink.
Inside hours, they locked MGM’s techniques, from slot machines to room keys, inflicting over $100 million in losses. Days later, they hit Caesars Leisure, stealing 6 TB of buyer information by way of a compromised third-party vendor. Their ways: credential resets, MFA fatigue, RMM misuse, and identification infrastructure takeovers present how attackers now weaponize belief as a substitute of code. Even probably the most superior community defenses fail when identification itself turns into the entry level.
Organizations urgently want safety options that perceive and implement the human and machine identification context on each community motion blocking privilege escalation, lateral motion, and information theft at a number of phases of the kill chain, each on-premises and within the cloud. The problem is to acknowledge assaults the place they begin with identification and cease them earlier than the associated fee is measured in misplaced information, downtime, and ransom paid.
Analogy: Airport Safety within the AI Period
A contemporary analogy for securing enterprise entry is airport safety. Prior to now, safety centered primarily on bodily obstacles like gates and fences to maintain unauthorized folks out of restricted areas. However in at this time’s world, merely having a ticket or mixing in amongst crowds isn’t sufficient. Safety workers use a number of identification checks, biometrics, boarding passes, and real-time watchlists at every checkpoint to make sure solely these with authentic, up-to-date credentials are granted entry regardless of the place they’re coming from. It’s not the perimeter fence that ensures security, however the layered, steady verification of each individual’s identification and objective, actively detecting imposters and suspicious conduct at each vital step.
How Cisco Safe Firewall Transforms the Equation
Firewall coverage can solely stay related if it may sustain with the dynamic nature of customers and workloads. This not solely brings improved safety and suppleness but additionally ensures that the coverage intent is less complicated to know in a readable format.
Dynamic Environments Want Dynamic Insurance policies
Dynamic environments require adaptive, context-aware firewall insurance policies that evolve alongside customers and workloads. Cisco Safe Firewall addresses this with seamless integration to Cisco Identification Intelligence from Firewall Administration Middle (FMC/cdFMC), beginning with upcoming 10.0 launch, enabling it to constantly assess consumer danger ranges and mechanically push coverage updates. Somewhat than relying solely on static IPs and ports, the firewall ingests identification indicators from each Cisco and third-party sources, mapping consumer, gadget, and utility behaviors to determine a baseline.
When behavioral deviations happen resembling inconceivable journey, MFA fatigue, assist desk account anomalies, the firewall mechanically enforces adaptive insurance policies: monitoring low-risk customers, requiring step-up authentication for medium-risk exercise, and blocking high-risk entry solely. The firewall additionally surfaces proactive insights within the AIOps Safety Insights view, offering root trigger evaluation, affected customers, and remediation steps, turning identification danger visibility into actionable intelligence.
Steady Identification Integration
Cisco Safe Firewall Administration Middle can combine with Identification shops together with Microsoft Energetic Listing or Microsoft Entra ID and helps varied strategies of gathering information about the place and the way customers are logged in. Gathering information from the Firewalls immediately with capabilities resembling Captive Portal or customers related by way of Distant Entry VPN to integration with exterior options resembling Cisco Identification Companies Engine or utilizing the Passive Identification Agent to question Energetic Listing immediately. Past Energetic Listing and Entra ID, Safe Firewall now aligns with trendy identification suppliers that use SAML for Distant Entry VPN authentication together with Azure, Okta, Ping, and Google Workspace.
Dynamic Workload Mapping
Cisco Safe Dynamic Attribute Connector, out there in a number of type elements can combine with each Public and Non-public cloud workload suppliers resembling Amazon Internet Companies, Microsoft Azure, VMware and Cisco ACI. Attributes of operating providers are captured and can be utilized in coverage. As workloads transfer or change, the coverage is up to date dynamically with none administrative motion to make sure communication to workloads stays right and constant.
Finish-to-Finish Segmentation by Integrating With Cisco ISE
By integrating Cisco Safe Firewall with Cisco Identification Companies Engine, organizations can additional lengthen their dynamic insurance policies with the attributes taking safety insurance policies primarily based on campus customers and units, past simply Customers and Teams.
Safe Firewall Administration Centra integrates with Cisco Identification Companies engine utilizing pxGrid connectivity and gathers Person and Machine context to be used in insurance policies, in addition to having the ability to create insurance policies primarily based on ISE Safety Group Tags (SGT). This permits group’s insurance policies to create various ranges of entry primarily based not solely on Person or Group membership but additionally Endpoint Profiles or location.
By assigning SGTs to endpoints primarily based on the numerous standards provided by Cisco ISE, Safe Firewall can implement visitors selections primarily based on assigned tags. Along with studying the SGTs by way of pxGrid, they will also be learn immediately from the visitors inline primarily based on the SGT utilized at a downstream gadget within the packet itself, offering an end-to-end TrustSec structure for Zero Belief and Segmentation.
Conclusion
The query is now not whether or not identity-aware firewalls are vital. The query is how shortly organizations can implement them, as a result of in a world the place identification is the perimeter, the firewall that can’t suppose in identities is already compromised. Discover how Cisco Safe Firewall with Identification Intelligence transforms your safety structure. See firsthand how adaptive insurance policies, steady identification integration, and zero-trust segmentation work collectively to detect and block identity-based assaults earlier than they traverse your infrastructure.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
