Gem launches cloud detection and response for identity, covering Okta, Azure AD and Google Workspace
Understand the full incident story in minutes, connecting the dots between identity, compute, network and data with Gem’s Cloud Detection and Response (CDR) platform - the first to combine IaaS and IdP telemetry into a single coherent timeline
In recent months, we’ve witnessed a marked uptick in identity-based cloud attacks, as widely-analyzed breaches like MGM illustrate. Exploiting misconfigured or weakly guarded identities has become an increasingly common first step for attackers, who then move laterally to gain unauthorized access to sensitive cloud resources.
With this backdrop, safeguarding digital identities through Identity and Access Management (IAM) monitoring has become key (pun-intended) for organizations migrating to cloud. But the ability to get a complete picture of identity in the cloud, from identity providers through the actual cloud infrastructure, remains elusive for organizations today.
The recent wave of sophisticated cloud-native attacks demonstrates the need for a comprehensive Cloud Detection and Response (CDR) strategy that fully encompasses identity. This is why today we’re excited to announce that Gem has now supports threat detection and response on all leading cloud identity providers. These new features give security operation teams the tools they need to stop identity-related threats in real time.
Background: How IdPs serve a critical role in securing cloud environments
Identity Providers (IdPs) offer a centralized mechanism for managing digital identities and facilitating seamless access to resources across cloud environments. By federating identity information and orchestrating authentication processes, IdPs like Okta, Azure AD, and Google Workspace streamline user access management, bolster security postures, and enhance operational efficiency. However, the centrality of IdPs also presents a significant new type of supply chain risk.
Attack pathways in cloud environments are typically multi-faceted, starting with an initial access (often through compromised credentials) and advancing via lateral movement towards critical assets like PII or other sensitive data. In this environment, traditional cloud security tools can help organizations identify insecure configurations and remediate high-risk identity issues. But these tools provide minimal to no real-time monitoring of malicious activity.
For example, in the the recent MGM breach, reports state that attack groups ALPHV and Scattered Spider used vishing to get access to MGM’s Okta tenant. Then, using these compromised identities, they exfiltrated data from the company’s Azure tenant, and deployed ransomware on critical assets. Cases like these are often challenging for SecOps teams, as the identities used for initial access are legitimate. To detect the threat, organizations have to be able to analyze and understand real-time activity in the context of some behavioral baseline.
Given the importance of identity in securing cloud infrastructure, identity activity monitoring is critical to prevent unauthorized access, identity spoofing, and ultimately, data breaches. Detecting and responding to suspicious and unusual activity around this critical infrastructure can help security teams stop incidents at very early stages, dramatically reducing the risk of a full blown breach.
Detecting incidents at the Initial Access phase
Gem Security is thrilled to announce the integration of Okta, Azure AD, and Google Workspace into our real-time CDR platform. This enhancement represents a massive step forward in our ongoing commitment to significantly reduce the time for SecOps teams to detect, investigate, and contain threats across the entire cloud estate, through the network, data, compute, control, and identity cloud services.
Gem’s IdP support provides two main advantages:
Organizations can integrate context from IdPs into cloud alerts throughout the platform, eliminating the need to pivot between multiple tabs to investigate a threat.
Organizations get best-in-class detection and response on top of the IdP activity itself, providing an added level of protection for real-time identity-based threats
Gem Seamlessly Integrates IdP Logs and Context
Detect identity-related threats in real-time across all cloud providers and IdPs
Each IdP integration comes bundled with a wide variety of detection rules and TTPs, from MFA manipulation and admin role assignments to session hijacking and authentication policy modification - Gem covers it all. Identity behavior in Gem is tracked using a unique profiling mechanism, which allows us to reduce the noise and focus only on unusual events. Every triggered alert also includes a fully expanded timeline, containing relevant events from multiple log sources.
Focus only on high-fidelity alerts, without the noise
Users and IPs are now multi-faceted entities in Gem, aggregating information from numerous sources. This correlation enables automatic linking between alerts across cloud and identity providers, and effectively chains together multiple steps in the kill chain, which would’ve otherwise been observed as disparate signals. An attack that starts with a session hijack in Okta, and continues with an unusual amount of data exfiltrated from an S3 bucket, will now be grouped together in Gem under a single threat - all revolving around the user entity.
Investigate faster and better, leveraging identity context
Apart from enabling powerful correlations, the unified user entity now contains rich identity context - Okta applications, Azure AD metadata, Google Workspace aggregations and more. Establishing a baseline during an investigation is now faster and easier than ever, combining Gem’s powerful data lake and the unique context retrieved from each IdP.
Integrate all of that in just a few minutes
Setting up logs ingestion and API access can be accomplished in just a few minutes. Gem’s officially supported apps for each IdP eliminate the need to install bulky forwarders, subscribe for special plans or worry about storage and costs.
End-to-end detection, in real-time
By integrating logs and context from all leading IdPs, Gem is now the first CDR to cover every part of the cloud kill-chain, from identity and control to data, network and compute. Paired with unique automatic response capabilities and tailored containment options, Gem offers the most comprehensive real-time coverage for cloud threats, empowering organizations to always stay a step ahead of attackers.
Want to learn more? We’d love to connect and show you a live demo of Gem and these new capabilities.