Discover how to strengthen your defences
In today’s threat landscape, attackers often don’t need to break in to your environment. They can simply log in. Compromised credentials, weak authentication and attacks targeting cloud identity providers like Microsoft Entra ID and Google Workspace are responsible for a large proportion of breaches today. Identity is now one of the most important factors in both detecting and preventing compromises.
Zero Trust for modern environments
Traditional perimeter security like VPNs often assumes that, once someone has authenticated, they can then be trusted inside the network. But, with password spraying, social engineering, and credential theft now daily occurrences, this approach is no longer enough.
Zero Trust is built on the principle of ‘never trust, always verify.’ That means moving beyond a single point of authentication and instead continuously evaluating who is accessing your systems, how they’re authenticating, and what privileges they’re exercising. Modern Zero Trust implementations often incorporate behavioural analytics to assess what normal activity looks like for each identity and detect deviations that could indicate compromise. In effect, every access request is treated as potentially compromised, until proved otherwise.
Why this matters
Once an attacker gains valid access through a perimeter control, they will move fast. Solis regularly investigates compromises where attackers have used remote administration tools such as PowerShell, Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP) to access servers, interact with endpoints and pivot across internal networks. Because these attackers are using legitimate credentials, many traditional defences might not immediately detect the threat.
Identity-based monitoring helps reveal activity that doesn’t align with normal user behaviour. This could include unusual login times, access to unfamiliar resources, or privilege use that seems out of character. In many incidents, identity-related actions provide the earliest indications that something’s wrong and the first opportunity to stop the attack.
Identity-first containment
A Zero Trust approach reframes containment by prioritising identity control before focusing on endpoints. When an account is suspected of being compromised, immediate actions include disabling the account, revoking active sessions, and resetting passwords and authentication methods. These measures can cut off an attacker’s access quickly, even if the affected device has not yet been fully isolated.
Organisations can also apply temporary safeguards to privileged accounts, restrict access to critical systems, and enforce reauthentication across sensitive services. Combining these steps limits an attacker’s ability to escalate privileges, move laterally, and maintain persistence during an incident. Identity-based containment offers a faster, more reliable way to regain control, especially when attackers are already inside the perimeter.
Takeaways
Implementing key aspects of a Zero Trust approach doesn’t necessarily require a complete transformation to deliver value.
You can make meaningful progress with a few focused steps:
· Enforcing strong MFA across all services
· Applying conditional access policies
· Auditing and reducing privileged accounts
· Monitoring identity behaviour alongside endpoint activity.
Taking these simple actions makes it significantly harder for attackers to operate within your environment and strengthens your organisation’s ability to respond quickly and effectively if an incident occurs. By putting identity at the centre of your security strategy, you can better protect your organisation against modern threats, and reduce the impact of future compromises.
