Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

RSAC 2023 and identity security: what changed for practitioners?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: At RSAC 2023, identity security, ITDR, deception, cloud context enrichment, and eBPF-driven runtime observability emerged as the themes shaping modern defence, according to SentinelOne. The underlying message is that identity controls now need continuous context and process-level telemetry, not just authentication gates.

NHIMG editorial — based on content published by SentinelOne: RSAC 2023 final day recap and identity security sessions

By the numbers:

Questions worth separating out

Q: How should security teams detect identity misuse after authentication succeeds?

A: They should monitor for behavioural anomalies, permission overreach, unusual context shifts, and access to assets that do not match normal job or workload patterns.

Q: Why do service accounts and tokens need runtime monitoring?

A: Because valid credentials can still be used maliciously after they are issued.

Q: What do security teams get wrong about identity threat detection and response?

A: They often treat ITDR as a substitute for IAM, when it is actually complementary.

Practitioner guidance

  • Correlate identity events with workload context Connect authentication, token use, permission scope, and cloud configuration so analysts can judge whether an identity action is routine or adversarial.
  • Separate IAM validation from post-authentication monitoring Use IAM to govern entitlement, then layer detection for misuse patterns such as unusual lateral movement, repeated context switching, or access to decoy assets.
  • Instrument deception around high-value identity paths Place decoys near privileged accounts, secrets stores, and administrative paths that are attractive to intruders.

What's in the full article

SentinelOne's full recap covers the operational detail this post intentionally leaves for the source:

  • Partner talk track details from RSAC 2023, including the booth sessions and collaboration themes that were only summarised here.
  • The ITDR presentation content on deception tactics, including the specific detection logic and use cases discussed at the event.
  • The eBPF session details on cloud workload protection, including the runtime observability arguments and architecture discussion.
  • The partner integration example showing how cloud context was ingested into the platform during threat enrichment.

👉 Read SentinelOne's RSAC 2023 recap on identity security, ITDR, and cloud context →

RSAC 2023 and identity security: what changed for practitioners?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Runtime identity context is now a core control surface, not an optional enhancement. The article's emphasis on cloud context enrichment reflects a wider shift in identity security: access decisions are no longer meaningful unless defenders also understand permissions, configuration, and runtime state. That is especially true for NHI, where service accounts and tokens can be valid while still being dangerous. Practitioners should treat contextual telemetry as part of identity governance, not a separate security stack concern.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which explains why identity-led intrusions so often go undetected until abuse is already underway.

A question worth separating out:

Q: What is the difference between ITDR and IAM governance?

A: IAM governance manages entitlement, lifecycle, and policy. ITDR focuses on detection and response when those controls are bypassed or abused. The two are not interchangeable. Identity governance tells you what should happen, while ITDR tells you when identity behaviour has moved outside the expected boundary.

👉 Read our full editorial: RSAC 2023 showed identity security needs runtime context



   
ReplyQuote
Share: