Public Sector organizations face a rapidly evolving cybersecurity landscape where 90% of cyber breaches involve compromised credentials. To address identity-based attacks and go beyond network defense, organizations must adopt an identity-first security strategy that prioritizes resilience, visibility and recovery. In this episode of Identity Under Attack: Building Resilience in a Zero Trust Era, Zack Brigman discusses the evolution of identity-based attacks, the new risks introduced by AI and non-human identities and the importance of having a resilient backup and recovery strategy. Fill out the form to listen to the Druva podcast and discover how to better protect your agency’s identity system.
Erica Raymond
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. Hi, everyone.
I'm Erica Raymond, your host from the Carahsoft team. On behalf of Druva and Carahsoft, we would like to welcome you to today's podcast, Identity Under Attack, Building Resilience in a Zero Trust Era. A Druva Deep Dive for SLED Leaders.
So in an era where 90% of all cyber breaches leverage digital identities, the perimeter has effectively shifted from the network to the user. For public sector agencies and contractors, this creates a systematic threat. If the identity layer is compromised, mission critical operations are paralyzed and the data is at risk.
This session explores how identity-based attacks are different, core considerations for safeguarding the data, and why protecting and recovering identity requires a fundamental shift towards resilience. With that being said, Zach Brigman will discuss how identity-based attacks are impacting public sector organizations, the growing risks introduced by AI and non-human identities, and why a modern approach to backup and recovery is essential to protecting and restoring trust in today's digital infrastructure. Zach, thank you so much for joining us today.
There's a lot to unpack here, so I want to start with the big picture. We're hearing more and more that attackers aren't necessarily breaking in anymore, they're logging in. Can you walk us through what's driving this shift and why it's so important for public sector organizations to understand?
Zack Brigman
Yes, thank you, Erica, and it's a pleasure to be on today. I'm really excited about today's topic, but I think you set the backdrop perfectly. Today, more and more adversaries are looking to log in versus break in.
So put differently, they're looking to the easiest path of resistance, and that's to compromise identities. Why exploit vulnerabilities if I can just log in? So organizations, agencies, folks in the public and private sector, they've always focused on keeping intruders out.
Firewalls and endpoints and intrusion detection, let's build the wall as high as we can to prevent intrusion. But adversaries are really realizing there's an easier path, and that's to steal credentials, to compromise credentials. And once they have that, they disguise themselves as a legitimate user, and that makes it very difficult to both detect and ultimately recover from these threats.
Erica Raymond
So are there any common entry points you're seeing most often? Is this considered phishing still, or has that evolved too?
Zack Brigman
Yeah, so I think that's a great question. I think what we've seen in recent trends is about only 35% of attacks look at exploiting software vulnerabilities, which means 65% of attacks are actually using identity as a way in. And that's really spanning across a number of different things.
Social engineering seems to still be very prevalent, but we also see the purchasing of stolen credentials on the dark web. We see occasionally a brute force attack, but also looking at misconfigurations and dormant accounts and things of that nature. So social engineering still is very prominent, but I think the landscape of how attackers get in with going to the dark web or other methods is starting to pick up traction as people move away from the vulnerability of exploiting software into how do I compromise identity.
Erica Raymond
Okay, so that's amazing context to kind of set the stage of our conversation today. So let's dig a little bit deeper into identity itself. Why is identity considered so unique compared to other parts of the IT environment?
Zack Brigman
Yeah, it's a great question. And I think that when we think of the pyramid, identity sits at the top of the pyramid. So if you're using Active Directory or Entra ID or Okta, that is a central connective tissue for how your users, how your consumers, how contractors actually get where they need to go.
So that's across applications, that's across data, that's across network and infrastructure. So it really is the glue that holds things together. We're used to protecting things like databases and things like SaaS applications.
For the public sector, these are critical, but the connective tissue of identity and how that relates to accessing everything is really paramount. So much different in terms of where this sits within the IT environment, because it's not just a tier one asset. Really, this is the central nervous system to get users where they need to go.
Erica Raymond
Right. So when something goes wrong, it's not isolated.
Zack Brigman
Correct, right. So not only does access shut down, but your ability to be able to ultimately recover gets shut down. If I can't get to my systems, if I can't get to my applications, essentially the agency's paralyzed at this point, right?
I don't have the ability to be able to continue work. And if I were to initiate a restore, right, how do my users get there if that's the case? And you'll hear a lot about trust.
I think that this is a key piece where how can I trust my environment again, which is really becoming more and more critical as organizations, as agencies, as contractors are looking to say, how in the context of identity do I understand my risk? And how do I understand that my environment can be trusted again?
Erica Raymond
Got it. And is that where the resilience paradox comes in?
Zack Brigman
Yeah, I think that touches upon really how identity relates to and has a relationship with the other things in your environment. So mentioned this briefly, right? There are scenarios and really large scale breaches that have happened recently where identity went down and the ability to access other things, whether it be endpoints, whether it be SaaS applications, right, that ceased to exist as well.
So when we think of our data protection strategies, I think we're very used to looking at things in terms of silos, right? I need to protect things in the data center. I need to protect things in the cloud.
I need to protect my users at the edge. Identity layers across all of them, right? So when identity's out, I can recover those environments should I need to if I had the capabilities in-house.
But my ability to be able to continue business if identity's down stops, right? If I pull back my SaaS applications, if I recover a tier one server or database, if users can't get there, unfortunately, it's still in a state of paralysis. So where we have this paradox is the concept of recovery and resilience and how it's a myth if you're not able to really preserve that identity layer, which is a big gap.
It's becoming very real. And I think we're seeing it play out very prominently with some high profile breaches of late where identity was impacted, which neutralized the ability for the organization to restore operations.
Erica Raymond
Okay. And so why do you think that gap exists? Is it more of a visibility issue or just historically not prioritized?
Zack Brigman
I think it's a bit of both, right? I think that we have a changing threat landscape and we've had a couple of different watershed moments across time when we think about just data protection at large. So for instance, you roll back the clock 15 years ago and we were focused on things like user error and site failure and natural disasters, all risks that still persist today, right?
But recovering from those scenarios looked very different. You know, we're in the COVID time, threats really hit a new fever pitch. And now we're looking at a nefarious bad actor.
It's not just operational recovery we have to account for, but the ability to roll back an environment should we be impacted by compromise. Identity is another watershed moment here where it's a new, yes, it's in the cyber category, but it's a new breed of cyber threats. It's really prompting a rethink.
I think we have security vendors really focusing on the problem. We have folks in the backup space and data protection space saying like, how do we tackle the scenario as well? It comes down to two things.
You mentioned visibility. I think it's the capability to know that I can recover, but I think it's also the visibility and the telemetry to know how I can roll back to a trusted state. So just to speak, I guess, at a very high level about it, when a bad actor enters the environment, the reason why it's so difficult to understand, to see, is that they disguise themselves as a legitimate user.
They're masking themselves as Zach or they're masking themselves as Erica. And they move across the networks. They elevate privileges.
They propagate an attack. By the time it comes to recover, I need to not only be able to know I can recover, but to put the pieces together to understand where compromise happened and where a trusted state would exist to be able to roll back to so I prevent that reinfection loop. So persistence mechanisms, things around hidden backdoors, they're very real here.
And it creates new challenges around how I need to understand my environment, how I need to understand identity and changes along the way so that I can preemptively see risk. And when it comes to my break glass recovery, know when I have to restore back to. So long-winded answer, a lot to consider.
But again, it comes down to the visibility and the trust and the confidence to know I can recover and where I need to roll back to.
Erica Raymond
Yeah. And to kind of highlight one of the things you just said, just as we're innovating for good, the bad guys out there are innovating to hack and to disrupt, which I think is a great segue into our next point. Everyone's talking about AI.
It's top of mind across the public sector. So in your opinion, how is AI changing the identity and security landscape?
Zack Brigman
Yeah. And I think that this is super timely, right? We've seen things come out of the White House around mandates for AI integration and AI protection and cautions around how we unleash agentic AI.
At recent conferences, right, if you were fortunate enough to go to some of the public sector conferences, you had vendors talking about how you can unlock agentic AI. And at the same conference, you had vendors talking about how to protect yourself from agentic AI. So it's a very interesting time in our landscape.
And AI, to your point, being used for good, right, this is great in terms of being able to hunt for threats and being able to incorporate this into our security postures. Unfortunately, right, it's changed the threat landscape in terms of how quick adversaries can move, right? They can propagate text at machine speed, which is less than ideal, right?
So I think that it was a very prominent AI vendor of late who paused, right, their release for new AI capabilities to say, hey, this could have some pretty significant damage if this is in the wrong hands. Let's provide this to practitioners in the security space to be able to elevate our security posture around the tools that they provide. Because if this gets in the wrong hand, right, this could be pretty significant.
So from a threat landscape scenario, this is another inflection point where AI is changing the game. Ransomware as a service changed the game. This is another evolution in terms of how bad actors are innovating.
So, yes, it's a very challenging time right now. AI for good and AI for bad and identity, right, the ability to be able to use this to manipulate, whether it be through a phishing attack or whether it be through once I'm inside accelerating my path to impact. It's a real concern that I think folks are really focused on and need to have a very measured approach in how they govern and adopt capabilities.
Erica Raymond
Yeah, which I think is something extremely new. As we're saying, I think there's a lot of mandates and policies coming out of the White House that's being flowed through the public sector today. So it's almost as we don't know what we don't know yet.
So is this something, in your opinion, that it's not always being tightly governed?
Zack Brigman
Yeah, I think, you know, you mentioned AI and it's a great point. I think governance comes on two scenarios, right? It's the governance of the use of AI and, you know, your workforce, your contractors, who's using what tools and what subset of capabilities within the walls of your own agency.
It's also the governance of non-human identities. So on the topic of identity, right, it's not just human users. It's not just your employees, your workforce, your contractors who have a digital identity.
It's also non-human identities. These are things like service accounts and automation tools, APIs, AI agents, right? They all need to have access to certain things.
So we're conditioned to think identity is the user. It's my consumer of services. Well, in today's modern times, at most agencies, you have non-human identities essentially outweighing the user base by sometimes two to one.
And we're governing the users, but maybe not governing the non-human identities. And these need to have specific accountability when it comes to governance. I think it's a major gap that we're seeing in market that organizations, agencies across public and private sector really need to solve for.
And there's been some pretty significant recent news around how, not nefarious, but AI agents essentially, unfortunately made a decision to wipe out something like outdated credentials. And it had significant impacts to production databases as well as backups. So the governance of who has access to what, human or non-human, as well as what permissions they have to do things within your environment, I think both need inspection when it comes to good hygiene of how we're looking at AI and how we're looking for and accounting for non-human identities.
Erica Raymond
Okay. You know, that's a lot of great insight. I feel like AI is going to extremely impact the public sector as we move forward.
So, you know, kind of shifting away from that, let's talk about resilience a little bit more, specifically where backup fits into this conversation. There's a perception that cloud identity platforms already have built-in protection. Is that actually the case?
Zack Brigman
Yeah, it's a big misconception, right? I think that we need to look at this in the lens of other workloads that we're protecting. Think SaaS apps, think cloud native.
Many follow a shared responsibility model if you're in the cloud. So while native capabilities may give you short-term retention and recycling bin capabilities, some baseline recovery, oftentimes it's not with the full fidelity or the capability that's needed to be able to properly respond to a mass impact or a cyber breach. If you're looking at things on-prem, you know, Active Directory came out at a time where there really wasn't a robust backup and recovery posture for Active Directory.
So sometimes you have manual scripts that folks have wrote. But there really are two scenarios. There's that scenario of I need to roll back or recover maybe specific objects or attributes.
Maybe I need to rebuild a whole forest if I need to. That's one. And then there's another where it's a compromise scenario.
And I need to be able to not only recover, but I need to be able to go back to a trusted state so I can understand things of compromise and where my last clean known good state was, right? There's some very significant workflows and use cases against them. And it's dedicated protection that really helps cover them and remove some of the blind spots that, unfortunately, if you're relying on native tools, may be present within the environment.
Erica Raymond
Okay. So in your opinion, what's missing?
Zack Brigman
Yeah, I think it's a great question. I think conditionally we're thinking of identity sometimes in the context of users and permissions and roles and attributes. And while it doesn't have the volume of data that maybe a tier one database has, there's a lot of inherent complexity, right?
Think of your user base and how many different permissions they have access to and the dynamic state of identity, right? You need full fidelity coverage to know that I can recover them with the speed that I need while preserving the structure, the relationships, the way everything's connected, right? You don't want to have a recovery scenario and then say, I have to rebuild my environment.
That can take weeks or months of prolonged downtime. The second is capabilities that really help solve for the cyber conversation. Being able to understand privileged risks, being able to understand points of compromise, persistence mechanisms, hidden backdoors, right?
The ability to put together a picture to say, I have a clear understanding of what a steady identity state is for me. I can understand deviations over time. And also with that, being able to pinpoint with some clarity to know, hey, if I've been impacted or I see something suspicious, here's my last known good point where I have a high confidence in a bad actor not being present, right?
We look at identity in a couple of different lenses here, operational recovery, as well as cyber recovery. And then again, the ability to coordinate a recovery alongside strategic workloads that you may be running, right? So we've seen the use cases around EnterID being impacted alongside Microsoft 365 or Active Directory and EnterID alongside something like endpoints or cloud-native workload, right?
You need to be able to have capabilities that isn't just going to solve for the identity layer and the workload or vice versa, right? Recovery happens in concert. So again, full fidelity operational recovery, robust cyber capabilities to understand risk and recover from them, and then the coordination across workloads that you're already running in your environment.
Erica Raymond
And from a recovery standpoint, are you potentially restoring compromised data too?
Zack Brigman
Yeah, right. So this comes down to a big challenge that we have, both in identity as well as other workloads. The reinfection loop, I think, is significant, right?
So if you're looking at your agency, if you're looking at your organization and you're saying, how do I effectively recover? Speed used to be the name of the game. How fast can I get back my data?
How quickly can I restore operations? Because of the sophisticated nature of identity-based attacks and other attacks, I need to know that when I roll back, I'm not going to be in this reinfection loop where I'm rehydrating my environment, unfortunately, with the bad actor or the threat that I'm trying to uproot. So this is very frustrating for organizations who have been caught in this trap, which is the ability to recover, but only to find out that I haven't truly remediated the threat.
This reinfection loop is very significant and something that I think when we talk about trust, when we talk about restoring with confidence, it's about knowing and having high confidence that when I hit that restore button, I'm not going to bring back the threat actor that I'm intending or the infectious files that I'm attending to get rid of in the first place or move on from, right?
Erica Raymond
Okay, so in terms of protecting and recovering data, from a cloud perspective, what does a strong approach look like to make sure that our public sector customers are protecting themselves?
Zack Brigman
Yeah, so I would say there's a couple universal principles, right? Whenever you're looking at really how you should approach a data protection, a cyber recovery, a cyber resilience mindset as it relates to your data, it starts inward out, right? I need to know that I have an immutable copy of my data.
It's air gap from production environments, right? So it's outside the blast radius. It's in a separate security domain.
So when identity or something else is impacted, I know that I have a pristine data copy that I can go back to, right? Policy controls wrapped around that environment is crucial, right? We talked about something like identity.
If someone has admin level credentials, they steal them. They buy them on the dark web. You need to make sure that they can't tamper within that backup environment as well.
So the foundational level, immutable data copies, separated policy controls wrapped around that. On top of that, you really want to make sure you have the capabilities for mediation and investigation, the ability to be able to understand and detect threats, the ability to be able to understand points of compromise, the ability to be able to truly have a comprehensive view into risk profile so that whether it be suspicious activity that's happening in the backup environment, suspicious files coming in, that you can proactively respond to those, right?
And there's things like SIM, SOAR integration, so on and so forth, a connectivity to the larger security stack. So that's crucial as well. And then when it comes to recovery, right?
You need the ability to be able to have a full fidelity, comprehensive recovery that respects things that you found during investigation to validate, to verify, to roll back with confidence. So it's a layered approach. That's the best way.
Starts with a hardened foundation. Capabilities really around making sure that you can protect your backups. Capabilities to be able to understand risk as it relates to data, right?
So you could act proactively. And then that robust assured recovery to know that, okay, when I need to recover, I can recover. I can come back to a trusted state and I can really account for risk along the way to make sure that I'm using evidence to guide my decisions as opposed to a best guess and a hope and a prayer that I'm going to recover.
And ultimately, when I bring it back, right? The risk is gone. So not a perfect science, but again, layered defense in depth, right?
We talked about this across the security conversation. Backup plays a very specific role in your cyber resilience posture and similar principles around defense and recovery in depth is what's needed here.
Erica Raymond
Okay, and I think that's a great foundation to kind of take us into our closing here where I want to ask you, you know, how does the approach to protecting identity need to evolve moving forward?
Zack Brigman
Yeah, I think it's a million dollar question, right? So we have identity threats at a fever pitch. We have organizations and agencies, folks in the public and private sector trying to solve for this threat.
The reality is operational recovery, there's still a use case for it. There still may be a misconfiguration, an admin error, something operationally that happens that you need to recover from, but more and more cyber threats are the name of the game. So it's really evolving and moving from this concept of being able to get my data back to the concept of resilience.
I need to withstand, I need to endure, I need to ultimately recover from a very malicious threat. And for identity specifically, that really focuses on being identity aware and what we mean by this is the ability to be able to understand threats, hidden back doors, persistent mechanisms, things that are going on within your environment so that when you go to restore, right, that you know that you can surgically uproot the threat during your recovery workflows by accounting for the risks because you can see them, right?
And, you know, adversaries, I think they're focused on blending into a crowd. Looking like a legitimate user, when it comes to resiliency postures in terms of how you recover from identity threat, it's to go that level deeper and to understand the behaviors that are happening in the environment because it gives you the indicator of where things are off, right? So the cat and mouse game of them trying to blend in alongside you having a clearer picture of what's a good identity state look like, what's my deviation over time, and ultimately how can I restore trust and function because I have evidence to go off of as opposed to, again, a hope and a prayer that I'm rolling back to a known good state.
Erica Raymond
Right. So the approach is about being intentional, not about waiting for something to happen and then being reactive.
Zack Brigman
Yes, 100%. So it's about having a root of trust and having the ability to know that, one, my data's clean, but two, when I go to recover, it's a provable point in time that I know is not introducing risk to me in my environment, right? So it's intentional in the fact that I need to be proactive, but I also need to know that when I go to recover, right, everything within my environment is going to provide me with the capabilities to confidently resume operations, even after an incident.
Erica Raymond
Okay, Zach, that's incredibly valuable insight. We appreciate all the content and perspective that you've given us here. But before we wrap up, what's one piece of advice you would give SLED organizations that are just starting to rethink their identity strategy?
Zack Brigman
Yeah, it's a great jumping off point here. When we look at how to approach identity, I think it's a mindset shift around, okay, it's not just for access, right? This is a mission-critical asset and it's under attack, right?
And I think there's some common questions that we can ask, how are we protecting identity today? If we were to be impacted, how can we effectively recover today? Do we have the capabilities that we can understand risk in the environment?
And should we need to recover? How do we account for that risk? How do we govern things like non-human identities?
Do we have the visibility and the comprehensiveness that we need to be able to really protect the multiple IDPs maybe that we're running? We may have things in intra, we may have things in active directory. It's not just one tool that we're using, right?
At the end of the day, really what it comes down to is having a comprehensive picture of, okay, how am I protecting my identity environments today? Do I feel like I have the capabilities? Should I be under attack to effectively recover?
And then how can I restore trust? So really by focusing on your posture today, where your gaps are, help rethink your identity strategy. And one thing that, again, that we're seeing is this is not necessarily the outlier.
This is becoming more of the norm. So really accounting for identity in your broader cyber resilience strategy and your broader data protection and recovery strategy. We've seen sled agencies and even folks in the private sector really seeing really good outcomes when it comes to starting to prioritize identity as a first party citizen alongside the other strategic digital assets that they're looking to present.
So there's a business case to be made for having identity, having a seat at the table, as well as how we rethink protecting and recovering identity given current times.
Erica Raymond
Okay, well, this has been great, Zach. This has been incredibly insightful. We really appreciate you taking the time to talk with us today on this extremely important topic.
So thank you for joining us again and sharing your expertise.
Zack Brigman
Thank you, Erica. I appreciate it. Thanks for having me.
Erica Raymond
Absolutely. And to everyone else, thank you so much for listening. Thank you again to our guest, Zach Brigman.
Don't forget to like, comment, and subscribe to Carahcast and be sure to listen to our other discussions. If you'd like more information on how Druva can assist your organization, please visit www.carahsoft.com or email us at druva at carahsoft.com. Thanks so much for listening.