Identity Exposure Management

overview what is identity exposure management? by pairing industry leading coverage of exposed credentials and session cookies with simple, actionable, automated validation and remediation workflows, identity exposure management enables you to proactively tackle identity exposures, shrink response times, and drastically reduce the chances of a business disrupting breach core concepts identity identifiers identity identifiers are a new type of identifier designed to represent a person and their associated attributes identity identifiers replace these existing types email, name, and username email, name and username identifiers have been transitioned to identity identifiers authorized vs unauthorized identities authorized identities authorized identities are identifiers that have been synced with an identity provider this enables the various functionality such as identity profiles, credential validation and remediation these identifiers are automatically created through syncing with your entra id instance one to one coverage for all employees within your entra id instance is the default configuration motion authorized identity identifiers enable additional platform functionality, including enriched identity profiles, “blast radius” visualizations, and automated validation and remediation of exposed identities authorized identity identifiers require additional permissions within your entra id’s connection with flare authorized identity identifiers are fundamentally different and separate from identity identifiers and all other standard flare identitifiers they are available at an additional cost within your flare subscription reach out to your flare customer success representative for more information unauthorized identities unauthorized identities are identifiers that have not been synced with an identity provider this restricts all identity related features except manual password validation previously referred to as “email”, "name", and “username” identifiers, these have been consolidated under the “identity” category these identifiers can be manually configured and managed in the same way as flare’s other identifier types unauthorized identity identifiers are priced the same way as other standard flare identifier types manual credential validation via entra id remains available to all flare customers identity identifiers creation there are two ways to create an identity identifier sync your identities from entra id (authorized) manually create an identity identifier (unauthorized) impact on subscription confirm you have the proper number of identifiers for the number of identity identifiers you want to create for additional configuration details, please refer to docid\ bpcmrpdohzer0cc83vcdn once identity identifiers are set up, docid\ wl3hdzqylk5shvy 7towz are available to view their attributes, exposure level indicators, and blast radius getting started setup overview create an app registration through docid\ z x8zdlsy7wd0c1jdpxg7 determine the remediation capabilities and assign the appropriate permissions setup the integration in the integration hub import your identities if using mark as compromised create a conditional access policy permissions the table below highlights the application permissions to assign to the app registration directory read all is required for the integration however each of the permissions corresponds to a different remediation capability determine which permission best corresponds with your organizations remediation needs add directory read all then what you need if you’re not using a remediation option, you don’t have to grant its permission capability permission identity profiles & directory reads directory read all revoke user sessions (invalidate refresh tokens) user revokesessions all disable user account user enabledisableaccount all mark user as compromised identityriskyuser readwrite all mark user as compromised requires a conditional access policy to fully remediate the user creating & managing identities from the docid\ dgkccvrbcbeyxleadwamu page you can select create identifier select identity as "type" fill the rest out appropriately an authorized identity identifier requires the identity to be imported from entraid manually creating identity identifiers will result in an unauthorized identity identifier unless the user is within entra id and within the scope of the import merging identities to merge identity identifiers, you can go to the identifiers tab select the three dots (hamburger menu) on the left hand side and you can merge with a specific identity alerting within the alerts page, create a new alert identifier scope corporate identities severity filters critical from the integration hub you can enable the identity import from the docid\ z x8zdlsy7wd0c1jdpxg7 this will import identities from entra id and create associated identity identifiers note you must be an organization admin to access the integrations hub if you import a group, only users from the group will be imported, if there is no group everyone will be imported consider creating a dynamic group in entra id with appropriate include or exclude conditions to maintain this integration credential browser enabled features select the desired validation and remediation capabilities you can select multiple confirm the app registration has the appropriate application permissions to be able to perform these operations note remediation action occurs if the credential is confirmed valid finally test and save the integration identity identifiers will be imported from entra id identies and created automated pasword validation will occur for any credential found in the last 24 hours conditional access policy setup (for mark as compromised) if the remediation option is mark as compromised a conditional access policy is required to action the signal flare sends (if not using mark as compromised skip this section) this requires microsoft p1 or business premium licenses flare recommended implementation users all users however this can be finegrained to lower the scope target resources all resources conditions user risk is high grant access require authentication strength ( we recommend using passwordless mfa if possible ) and require a password change session sign in frequency every time alternatively use identity protection or logic apps for more fine grained remediation options troubleshooting confirm the correct permissions are applied to the app registration confirm the secret value is being entered and not the secret id confirm the integration has been tested within flare credentials browser viewing credentials the credential browser shows the associated leaked credentials from the dark web each credential is shown as an individual entry showing the same identities multiple times with different passwords this page is the jumping off point for credential validation, remediation actions, and the identity profile validation & remediation each row has the idp credential status this column shows the results of the idp password validation attempt if a password comes back true other entries for that identity will be marked as false for an identity press validate to confirm the password if it is returned true, flare will offer the remediation options if false, nothing will happen automated validation and remediation can be set up in the integrations hub alternatively pressing on an identity presents the validation option within the overview tab automation capabilities automations can be enabled within the docid\ z x8zdlsy7wd0c1jdpxg7 flare offers a variety of different automation solutions to enable the most appropriate solution for each organization currently flare offers the following password validation mark as compromised revoke session disable user flare is evaluating additional automations feel free to reach out to your csm with desired automations faqs q how do i enable identity exposure management? to enable identity exposure management, purchase a package and your csm will enable it from here create a sync with entra id to authorize your identity identifiers q how do i connect my idp? to connect your idp create an app registration within entra id and enter the client secret and client id within the docid\ z x8zdlsy7wd0c1jdpxg7 page q will this lock my accounts? password validation can lock accounts however, flare has built in mitigations to prevent this verify your company’s smart lockout policy to understand how long accounts are locked for default policy is one minute which would have minimal business impact q how do i verify or reset credentials? credentials can be verified by one of two ways, either by pressing validate or having the automation run flare does not reset credentials but sends a signal to a conditional access policy configured within the customer's tenant to reset the password q what is the pricing? identity exposure management is available at an additional cost within your flare subscription reach out to your flare customer success representative for more information q what’s on the roadmap? flare has an exciting roadmap to continue to build out the blast radius, pull in more datapoints such as mfa, additional idps, cookie support and much much more stay tuned for the latest updates