When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider’s Jira server. 

Once inside the company’s project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

“A year ago, the term NHI did not exist, and now everyone is talking about them,” says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

Where NHIs Are Vulnerable

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there’s greater likelihood that they have excessive permissions without expiration dates.

“There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership,” explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

“As NHI continues to evolve, so are the notable vendors in this space,” says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian’s initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

Role of NHI Security 

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

“To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates,” noted GitGuardian product manager Soudanya Ain in a blog post. “They’ve become the number one vector for a successful attack, frequently overlooked.”

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

  • Microsoft’s Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.

  • The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.

  • Last summer’s GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.

  • A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia’s Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

“That figure is only likely to increase going forward,” he wrote. 

“We do expect NHI growth is going to accelerate further,” added Maxine Holt, senior director of Omdia’s cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

“These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability,” she said. “Of course, we need the audit trail there as well. We believe that it’s really important to recognize non-human identities as a vital link in the cyber threat chain.”

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

“There’s definitely that trend toward understanding NHI security better and addressing them,” said John Yeoh, CSA’s global VP of research, at a public meeting in September“We only expect the NHI field to explode and get out further.”

Blending NHIs and Human Identities 

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix’s Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

“Our customers are asking for a 360-degree view of the human and the non-human identities,” Jackson says. “But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it’s creating the connections in a secure manner.”

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

“That’s the plan,” says Pierre Le Clézio, the company’s lead product manager. “But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems.”

Anticipate M&A Activity 

As NHI security continues to evolve, so will the notable providers, EMA’s Steffen says.

“It seems very likely that larger technology players are going to jump into this space,” he says. “Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution.”

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

“They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions.”

Omdia’s Holt also anticipates M&A activity.

“The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities,” she said. “But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities.”

Source: www.darkreading.com

Leave a Reply

Your email address will not be published. Required fields are marked *