When Identity Blind Spots And SaaS Oversight Define The Next Breach

Gary Brickhouse, Chief Information Security Officer at GuidePoint Security, spoke with TechNadu about the changing attack patterns across hybrid and SaaS environments.

Brickhouse has guided enterprise security programs, helping leaders balance perimeter investments against modern threats that now target identity and misconfigurations. His experience tells how credentials, once compromised, can enable attackers to pivot through cloud and SaaS systems invisibly.

Organizations are realizing that legacy firewalls no longer hold the line when adversaries enter from the front door. Identity controls, anomaly detection, and zero-trust practices are unavoidable for reducing lateral movement inside infrastructures. 

Artificial intelligence is also reshaping detection pipelines, cutting alert fatigue, and enabling faster automated actions. But meaningful progress requires budgets that shift away from outdated perimeter focus.

Vishwa: How can organizations tackle attackers exploiting pivoting across hybrid cloud enterprise environments, as they can steal credentials and abuse cloud misconfigurations to mimic legitimate behavior and evade detection? Are these pivot techniques proving effective against the defensive strategies available today? What is still needed to handle the growing threat? 

Gary: Organizations should consider two strategies to reduce the likelihood of attackers pivoting across their enterprise environments. The first is to address the risk through a defense-in-depth approach.  

This should include:

• Identity controls (i.e., strong authentication; MFA; least privilege; etc.) to limit the effectiveness of stolen credentials;
• Vulnerability management, including monitoring for misconfiguration and drift;
• Segmentation and network controls to prevent lateral movement;
• Threat detection and response capabilities to provide visibility and analytics to identify compromised accounts;
• Awareness and training for end users; and
• Many other controls that stretch across people, process, and technology to help create a layered defense for your organization.

Secondly, organizations should approach this based on the “zero trust” model.  In short, this model treats every access request as untrusted, requiring validation of users, devices, connection requests, etc.  

Leveraging many of the controls mentioned above, a “zero trust” approach can reduce the impact of a compromised credential by making the compromise of one identity or system far less likely to result in a breach.

Unfortunately, in spite of improvements in defenses and the use of modern controls, credential compromise and subsequent attempts by threat actors to pivot are still successful.

As the saying goes, “Defenders have to be right all the time. Attackers only need to be right once.” That “once” just has to be a misconfigured storage bucket, an unpatched subcontractor laptop, or an over-privileged service account for the best defenses to falter. 

Organizations need to continue to focus on the strategies mentioned above, but also look to build or improve their visibility through better, unified telemetry aggregating logs across the endpoint, cloud, and identity systems, and actionability through the use of agentic AI for automated response actions. 

Vishwa: What is your perspective on budgets still prioritizing legacy perimeter controls rather than real-time anomaly detection? What threat detection capabilities are most underfunded by security leaders and why? How far has this shifted compared to previous years?

Gary: Organizations that continue to focus primarily on legacy perimeter controls often struggle to keep pace with modern threats. Certainly, the perimeter still matters, but the reality is that threat actors are targeting identity, and investments should be shifted accordingly.  

Without funding tied to identity controls like anomaly detection, the investment in your “castle walls” won’t matter when a threat actor walks through your front door based on compromised credentials. 

One underfunded area is around SaaS platforms. As organizations continue to move towards SaaS platforms, their attack surface is expanding as well. Several factors contribute here:

• Because business teams often own SaaS expertise, security teams may lack deep knowledge of the platforms.
• With a high number of SaaS tools used by a typical organization, security teams struggle to maintain visibility and consistent oversight.
• Confusion or assumptions around the shared responsibility model create gaps in control and ownership between the SaaS vendor and the organization.

As for why this is often underfunded, SaaS solutions' ownership is often unclear, as responsibilities are shared within an organization, leaving security teams with limited visibility.  

This can result in a misconception that the SaaS solutions represent a lower risk to the organization, even though the attack surface is growing rapidly. 

Vishwa: Do you see Artificial Intelligence reshaping Managed Detection and Response (MDR) pipelines, and which operational challenges is AI now solving in practical cyber defense? What more could be done to make better use of AI, like reducing false alarms? 

Gary: Definitely excited about what is happening in this space.  In short, AI is able to do a large majority of the heavy lifting currently done by analysts, reducing time to make better-informed decisions. 

This is accomplished through less noise, better correlation and data enrichment, easier querying via natural language, and, in some cases, taking action. 

The best news is that it is only getting better: updated models, better telemetry, more enrichment, and broader context. This all results in better use of AI in the MDR space and the reduction of false positives. 

Vishwa: How can organizations tackle limited internal expertise and integration complexity when deploying detection solutions, and how is behavioral anomaly detection evolving to stop early lateral movement across complex environments?

Gary: Organizations can lessen the impact of expertise and complexity challenges by addressing the people, process, and technology when deploying detection solutions. From a technology perspective, selecting solutions featuring more native integrations that align with your environment can help reduce the technical burden of implementation.  

Deployment challenges can also be offset by having a good strategy that focuses on a phased approach, enabling quick wins or a risk-based approach addressing specific attack vectors versus attempting a more complex, comprehensive implementation.

And to address the expertise challenges, external expertise should be leveraged as part of the selection and deployment efforts, with a longer-term focus on investing in training for existing team members. 

Behavior anomaly detection is evolving rapidly, building on existing user baseline data and incorporating user behavior analytics to better understand patterns and context of user activity, helping to better identify real threats while reducing false positives.  

These solutions are also leveraging threat intelligence data to better understand how threat actors work, improving their ability to earlier identify and take action on threat actor behavior.

Vishwa: Which Artificial Intelligence-driven phishing trends demand a serious tooling overhaul in the financial sector, and what broader cyber-attack patterns do you anticipate dominating this industry next?

Gary: AI has enabled threat actors to significantly increase the effectiveness of phishing threats, resulting in an increase in fraud across financial institutions. AI is being leveraged to create more realistic, personal, and relevant phishing campaigns than ever. 

In addition, threat actors have moved outside the traditional email approach with voice and video deepfakes, impersonating CFO’s or other executives as well as targeting call centers to impersonate customers.

As for other attack patterns, threat actors will continue to target supply chain/ third-party partners as an easier path to compromise and often on a larger scale. Expect to see a rise in API attacks, targeting bank interfaces.  

Vishwa: What tools or measures would you recommend for beginners to prevent ransomware and credential theft? And what advanced tools should experienced defenders adopt to stay ahead?

Gary: The three most common entry points for ransomware are unpatched systems, misconfiguration, and credential compromise via phishing. Based on this, organizations should prioritize the use of MFA on all accounts (not just privileged accounts) and enforce complex passwords.  

They should focus on vulnerability management, both from a visibility of their attack surface perspective and actually patching systems. Systems should be hardened and monitored for drift from the established secure baseline. Implement an EDR tool to protect endpoints and an email security tool to block phishing attacks. 

And finally, user awareness and training for employees targeting phishing and fraudulent communications. As for some advanced tools for consideration, behavior-based analytics, security posture management based on your domain-specific architecture and risks, SOAR or agentic AI for automated responses, and deepfake detection.