CORE FEATURES
Identity Exposure Management
18 min
overview what is identity exposure management? by pairing industry leading coverage of exposed credentials and session cookies with simple, actionable, automated validation and remediation workflows, identity exposure management enables you to proactively tackle identity exposures, shrink response times, and drastically reduce the chances of a business disrupting breach core concepts identity identifiers identity identifiers are a new type of identifier designed to represent a person and their associated attributes identity identifiers replace these existing types email, name, and username email, name and username identifiers have been transitioned to identity identifiers authorized vs unauthorized identities authorized identities authorized identities are identifiers that have been synced with an identity provider this enables the various functionality such as identity profiles, credential validation and remediation these identifiers are automatically created through syncing with your entra id instance one to one coverage for all employees within your entra id instance is the default configuration motion authorized identity identifiers enable additional platform functionality, including enriched identity profiles, āblast radiusā visualizations, and automated validation and remediation of exposed identities authorized identity identifiers require additional permissions within your entra idās connection with flare authorized identity identifiers are fundamentally different and separate from identity identifiers and all other standard flare identitifiers they are available at an additional cost within your flare subscription reach out to your flare customer success representative for more information unauthorized identities unauthorized identities are identifiers that have not been synced with an identity provider this restricts all identity related features except manual password validation previously referred to as āemailā, "name", and āusernameā identifiers, these have been consolidated under the āidentityā category these identifiers can be manually configured and managed in the same way as flareās other identifier types unauthorized identity identifiers are priced the same way as other standard flare identifier types manual credential validation via entra id remains available to all flare customers identity identifiers creation there are two ways to create an identity identifier sync your identities from entra id (authorized) manually create an identity identifier (unauthorized) impact on subscription confirm you have the proper number of identifiers for the number of identity identifiers you want to create for additional configuration details, please refer to configure identifiers docid\ bpcmrpdohzer0cc83vcdn identity profiles an identity profile is a centralized location to view an identity, their attributes, exposures, and blast radius an identity profile requires an authorized identity identifier attributes & data sources currently the following attributes are being collected from entra id last password change date sign in session validity date token validity date job title department user type account enabled blast radius the blast radius shows the sprawl an attacker could reach with the user's entra id permissions and leaked attributes severity levels critical cookie or credential that matches a domain identifier or tied to a service that is designated as critical based on their popularity and prevalence online high cookie or credential that is tied to a service that is designated as high based on their popularity and prevalence online medium cookie or credential that is tied to a service that is designated as medium based on their popularity and prevalence onlineā these are more common low everything else info expired or tracking cookies exposure summary & event timeline the timeline shows various leaks and when they occurred related to the identity the timeline number counts the occurrence, not the number of instances of that data type within it for example, the event timeline could show a leak of exposed pii but the table view could have many leaks of pii showing that the leak had that number of data points within it event types passwords stealer logs exposed pii illicit networks open web getting started setup overview create an app registration through integrations hub determine the remediation capabilities and assign the appropriate permissions setup the integration in the integration hub import your identities if using mark as compromised create a conditional access policy permissions the table below highlights the application permissions to assign to the app registration directory read all is required for the integration however each of the permissions corresponds to a different remediation capability determine which permission best corresponds with your organizations remediation needs add directory read all then what you need if youāre not using a remediation option, you donāt have to grant its permission capability permission identity profiles & directory reads directory read all revoke user sessions (invalidate refresh tokens) user revokesessions all disable user account user enabledisableaccount all mark user as compromised identityriskyuser readwrite all mark user as compromised requires a conditional access policy to fully remediate the user creating & managing identities from the identifiers docid\ dgkccvrbcbeyxleadwamu page you can select create identifier select identity as "type" fill the rest out appropriately an authorized identity identifier requires the identity to be imported from entraid manually creating identity identifiers will result in an unauthorized identity identifier unless the user is within entra id and within the scope of the import merging identities to merge identity identifiers, you can go to the identifiers tab select the three dots (hamburger menu) on the left hand side and you can merge with a specific identity alerting alerting coming very soon we are working on providing this functionality in the next major update in november from the integration hub you can enable the identity import from the integrations hub docid\ z x8zdlsy7wd0c1jdpxg7 this will import identities from entra id and create associated identity identifiers note you must be an organization admin to access the integrations hub if you import a group, only users from the group will be imported, if there is no group everyone will be imported consider creating a dynamic group with appropriate include or exclude conditions to maintain this group credential browser enabled features select the desired validation and remediation capabilities you can select multiple confirm the app registration has the appropriate application permissions to be able to perform these operations note remediation action occurs if the credential is confirmed valid make sure automated remediation is selected here finally test and save the integration identity identifiers will be imported from entra id identies and created automated pasword validation will occur for any credential found in the last 24 hours conditional access policy setup (for mark as compromised) if the remediation option is mark as compromised a conditional access policy is required to action the signal flare sends (if not using mark as compromised skip this section) this requires microsoft p1 or business premium licenses flare recommended implementation users all users however this can be finegrained to lower the scope target resources all resources conditions user risk is high grant access require authentication strength ( we recommend using passwordless mfa if possible ) and require a password change session sign in frequency every time alternatively use identity protection or logic apps for more fine grained remediation options troubleshooting confirm the correct permissions are applied to the app registration confirm the secret value is being entered and not the secret id confirm the integration has been tested within flare credentials browser viewing credentials the credential browser shows the associated leaked credentials from the dark web each credential is shown as an individual entry showing the same identities multiple times with different passwords this page is the jumping off point for credential validation, remediation actions, and the identity profile validation & remediation each row has the idp credential status this column shows the results of the idp password validation attempt if a password comes back true other entries for that identity will be marked as false for an identity press validate to confirm the password if it is returned true, flare will offer the remediation options if false, nothing will happen automated validation and remediation can be set up in the integrations hub alternatively pressing on an identity presents the validation option within the overview tab automation capabilities automations can be enabled within the integrations hub docid\ z x8zdlsy7wd0c1jdpxg7 flare offers a variety of different automation solutions to enable the most appropriate solution for each organization currently flare offers the following password validation mark as compromised revoke session disable user flare is evaluating additional automations feel free to reach out to your csm with desired automations faqs q how do i enable identity exposure management? to enable identity exposure management, purchase a package and your csm will enable it from here create a sync with entra id to authorize your identity identifiers q how do i connect my idp? to connect your idp create an app registration within entra id and enter the client secret and client id within the integrations hub docid\ z x8zdlsy7wd0c1jdpxg7 page q will this lock my accounts? password validation can lock accounts however, flare has built in mitigations to prevent this verify your companyās smart lockout policy to understand how long accounts are locked for default policy is one minute which would have minimal business impact q how do i verify or reset credentials? credentials can be verified by one of two ways, either by pressing validate or having the automation run flare does not reset credentials but sends a signal to a conditional access policy configured within the customer's tenant to reset the password q what is the pricing? identity exposure management is available at an additional cost within your flare subscription reach out to your flare customer success representative for more information q whatās on the roadmap? flare has an exciting roadmap to continue to build out the blast radius, pull in more datapoints such as mfa, additional idps, cookie support and much much more stay tuned for the latest updates