Tag Archives: advice

Machine Identity Management: The Overlooked Cyber Risk and What to Do About It

Posted on by
Reply

The term “identity” in cybersecurity usually summons images of human users: employees, contractors, customers signing in, multi‑factor authentication, password resets. But lurking behind the scenes is another, rapidly expanding domain of identities: non‑human, machine identities. These are the digital credentials, certificates, service accounts, keys, tokens, device identities, secrets, etc., that allow machines, services, devices, and software to authenticate, communicate, and operate securely.

CyberLaptop

Machine identities are often under‑covered, under‑audited—and yet they constitute a growing, sometimes catastrophic attack surface. This post defines what we mean by machine identity, explores why it is risky, surveys real incidents, lays out best practices, tools, and processes, and suggests metrics and a roadmap to help organizations secure their non‑human identities at scale.

What Are Machine Identities

Broadly, a machine identity is any credential, certificate, or secret that a non‑human entity uses to prove its identity and communicate securely. Key components include:

  • Digital certificates and Public Key Infrastructure (PKI)

  • Cryptographic keys

  • Secrets, tokens, and API keys

  • Device and workload identities

These identities are used in many roles: securing service‑to‑service communications, granting access to back‑end databases, code signing, device authentication, machine users (e.g. automated scripts), etc.

Why Machine Identities Are Risky

Here are major risk vectors around machine identities:

  1. Proliferation & Sprawl

  2. Shadow Credentials / Poor Visibility

  3. Lifecycle Mismanagement

  4. Misuse or Overprivilege

  5. Credential Theft / Compromise

  6. Operational & Business Risks

Real Incidents and Misuse

Incident What happened Root cause / machine identity failure Impact
Microsoft Teams Outage (Feb 2020) Microsoft users unable to sign in / use Teams/Office services An authentication certificate expired. Several-hour outage for many users; disruption of business communication and collaboration.
Microsoft SharePoint / Outlook / Teams Certificate Outage (2023) SharePoint / Teams / Outlook service problems Mis‑assignment / misuse of TLS certificate or other certificate mis‑configuration. Users experienced interruption; even if the downtime was short, it affected trust and operations.
NVIDIA / LAPSUS$ breach Code signing certificates stolen in breach Attackers gained access to private code signing certificates; used them to sign malware. Malware signed with legitimate certificates; potential for large-scale spread, supply chain trust damage.
GitHub (Dec 2022) Attack on “machine account” / repositories; code signing certificates stolen or exposed A compromised personal access token associated with a machine account allowed theft of code signing certificates. Risk of malicious software, supply chain breach.

Best Practices for Securing Machine Identities

  1. Establish Full Inventory & Ownership

  2. Adopt Lifecycle Management

  3. Least Privilege & Segmentation

  4. Use Secure Vaults / Secret Management Systems

  5. Automation and Policy Enforcement

  6. Monitoring, Auditing, Alerting

  7. Incident Recovery and Revocation Pathways

  8. Integrate with CI/CD / DevOps Pipelines

Tools & Vendor vs In‑House

Requirement Key Features to Look For Vendor Solutions In-House Considerations
Discovery & Inventory Multi-environment scanning, API key/secret detection AppViewX, CyberArk, Keyfactor Manual discovery may miss shadow identities.
Certificate Lifecycle Management Automated issuance, revocation, monitoring CLM tools, PKI-as-a-Service Governance-heavy; skill-intensive.
Secret Management Vaults, access controls, integration HashiCorp Vault, cloud secret managers Requires secure key handling.
Least Privilege / Access Governance RBAC, minimal permissions, JIT access IAM platforms, Zero Trust tools Complex role mapping.
Monitoring & Anomaly Detection Logging, usage tracking, alerts SIEM/XDR integrations False positives, tuning challenges.

Integrating Machine Identity Management with CI/CD / DevOps

  • Automate identity issuance during deployments.

  • Scan for embedded secrets and misconfigurations.

  • Use ephemeral credentials.

  • Store secrets securely within pipelines.

Monitoring, Alerting, Incident Recovery

  • Set up expiry alerts, anomaly detection, usage logging.

  • Define incident playbooks.

  • Plan for credential compromise and certificate revocation.

Roadmap & Metrics

Suggested Roadmap Phases

  1. Baseline & Discovery

  2. Policy & Ownership

  3. Automate Key Controls

  4. Monitoring & Audit

  5. Resilience & Recovery

  6. Continuous Improvement

Key Metrics To Track

  • Identity count and classification

  • Privilege levels and violations

  • Rotation and expiration timelines

  • Incidents involving machine credentials

  • Audit findings and policy compliance

More Info and Help

Need help mapping, securing, and governing your machine identities? MicroSolved has decades of experience helping organizations of all sizes assess and secure non-human identities across complex environments. We offer:

  • Machine Identity Risk Assessments

  • Lifecycle and PKI Strategy Development

  • DevOps and CI/CD Identity Integration

  • Secrets Management Solutions

  • Incident Response Planning and Simulations

Contact us at info@microsolved.com or visit www.microsolved.com to learn more.

References

  1. https://www.crowdstrike.com/en-us/cybersecurity-101/identity-protection/machine-identity-management/

  2. https://www.cyberark.com/what-is/machine-identity-security/

  3. https://appviewx.com/blogs/machine-identity-management-risks-and-challenges-facing-your-security-teams/

  4. https://segura.security/post/machine-identity-crisis-a-security-risk-hiding-in-plain-sight

  5. https://www.threatdown.com/blog/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do/

  6. https://www.keyfactor.com/blog/2023s-biggest-certificate-outages-what-we-can-learn-from-them/

  7. https://www.digicert.com/blog/github-stolen-code-signing-keys-and-how-to-prevent-it

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

MicroSolved’s vCISO Services: A Smart Way to Boost Your Cybersecurity

Posted on by
Reply

Cybersecurity is always changing. Organizations need more than just security tools. They also need expert advice to deal with complex threats and weaknesses. This is where MSI’s vCISO services can help. MSI has a long history of being great at information security. Their vCISO services are made just for your organization to make your cybersecurity better and keep you safe from new threats.

Why MSI’s vCISO Services are a Good Choice:

  • Expert Advice: MSI’s vCISO services provide high-level guidance, helping align your cybersecurity plans with your business goals. MSI’s team has many years of experience, making sure your security policies follow industry standards and actually work against real threats.
  • Custom Risk Management: Every organization has different risks and needs. MSI customizes its vCISO services to fit your exact situation. Their services cover risk reviews, policy making, and compliance.
  • Proactive Threat Intelligence: MSI has advanced threat intelligence tools, like its HoneyPoint™ Security Server. vCISO services use real-time threat data in your security operations, helping you find, respond to, and reduce attacks.
  • Full Incident Response: If a security incident occurs, MSI’s vCISO services ensure that you respond quickly and effectively. They help plan incident response, hunt threats, and conduct practice exercises. This prepares your team for potential breaches and limits disruption to your work.
  • Long-term Partnership: MSI wants to build long relationships with clients. vCISO services are made to change as your organization changes. They provide constant improvement and adapt to new security challenges. MSI is committed to helping your security team do well over time.

Take Action

MSI’s vCISO services can improve your organization’s cybersecurity. You can get expert advice, proactive threat intelligence, and full risk management tailored to your needs.

Email info@microsolved.com to get started.

Using MSI’s vCISO services, you strengthen your cybersecurity and get a strategic partner to help you succeed long-term in the always-changing digital world. Reach out today and let MSI help guide your cybersecurity journey with confidence.

 

* AI tools were used as a research assistant for this content.

Ask The Experts: Advice to New InfoSec Folks

Posted on by
Reply

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

Three Ways to Engage with the InfoSec Community

Posted on by
7

J0289893

Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen.

1) Join Twitter and engage with people who are also interested in infosec. Talk directly to researchers, security visionaries and leadership. Engage with them personally and professionally to build relationships. Add value to the discussions by researching topics or presenting material that you are familiar with.

2) Join an open source software project. Even if you aren’t a coder, join the project and help with testing, documentation or reviews of some kind. Open source projects (they don’t have to be security projects) can benefit from the help, an extra set of eyes and the energy of new folks contributing to their work. You’ll learn new stuff and build great relationships in the development and likely infosec communities along the way. 

3) The way that most folks go about it works as well. Go to events. Network. Meet infosec people and engage them in discussions about technical and non-technical subjects. Groups like ISSA, ISACA, ISC2, OWASP and other regional security events are good places to meet people, learn stuff and develop relationships with folks working on hard problems. Cons can be good for this too, but often have less chances for building rapport due to the inherent sensory overload of most con environments. Cons are a good place to grow relationships, but may not be the best events for starting them.

That’s my advice. All 3 items are hard work. They offer a chance for you to learn and engage. BUT, you have to work to earn respect and rapport in this community. You have to contribute. You must add value. 

As always, thanks for reading and until next time, stay safe out there! 

Ask The Experts Series – Workstation Malware

Posted on by
1

This time around we had a question from a reader (thanks for the question!):

“My organization is very concerned about malware on desktop machines. We run anti-virus on all user systems but have difficulty keeping them clean and are still having outbreaks. What else can we do to keep infected machines from hurting us? –LW”

Phil Grimes (@grap3_ap3) responds:

In this day and age, preventing infection on desktop workstations is a losing battle. While Anti-virus and other measures can help protect the machine to some extent, the user is still the single greatest point of entry an attacker can leverage. Sadly, traditional means for prevention don’t apply to this attack vector, as tricking a user into clicking on the “dancing gnome” often launches attacks at levels our prevention solutions just can’t touch.

Realizing this is the first, and biggest step to success here.

Once we’ve embraced the fact that we need better detection and response mechanisms, we start to see how honeypots can help us but also how creating better awareness within our users can be the greatest investment an organization might make in detection. Teach your people what “normal” looks like. Get them in the habit of looking for things that go against that norm. Then, get them to want to tell someone when they see these anomalies! A well trained user base is more efficient, effective, and reliable detection mechanism an organization can have. After that, learn how to respond when something goes wrong.

John Davis added: 

Some of the best things you can do to combat this problem is to implement good, restrictive egress filtering and ensure that users have only those local administration rights to their workstations that they absolutely need.

There are different ways to implement egress filtering, but a big part of the most secure implementation is whitelisting. Whitelisting means that you start by a default deny of all outbound connections from your network, then only allow those things outbound that are specifically needed for business purposes. One of the ways that malware can infect user systems is by Internet surfing. By strictly limiting the sites that users can visit, you can come close to eliminating this infection vector (although you are liable to get plenty of blowback from users – especially if you cut visiting social networking sites).

Another malware infection vector is from users downloading infected software applications to their machines on disks or plugging in infected portable devices such as USB keys and smart phones to their work stations. This can be entirely accidental on the part of the user, or may be done intentionally by hostile insiders like employees or third party service providers with access to facilities. So by physically or logically disabling users local administration rights to their machines, you can cut this infection vector to almost nil.

You still have to worry about email, though. Everybody needs to use email and antivirus software can’t stop some malware such as zero day exploits. So, for this vector (and for those users who still need Internet access and local admin rights to do their jobs), specific security training and incentive programs for good security practices can go a long way. After all, a motivated human is twice as likely to notice a security issue than any automated security solution.

Adam Hostetler also commented:

Ensure a policy for incident response exists, and that it meets NIST guidelines for handling malware infections. Take the stand that once hosts are infected they are to rebuilt and not “cleaned”. This will help prevent reinfection from hidden/uncleaned malware. Finally, work towards implementing full egress controls. This will help prevent malware from establishing command and control channels as well as combat data leakage.

Got a question for the experts? If so, leave us a comment or drop us a line on Twitter (@microsolved). Until next time, stay safe out there!