Identity Creep: You'll Never Reach Least Privilege, So Instrument the Blast Radius
92% of identities are over-permissioned and creep leaves no log line. Stop treating the blast radius as cleanup — instrument it instead.
6 posts
92% of identities are over-permissioned and creep leaves no log line. Stop treating the blast radius as cleanup — instrument it instead.
Most CTI programs measure IOCs ingested and reports published — activity, not effect. Here's what operationalized intelligence actually looks like.
Most teams 'do DaC' by putting Sigma in a repo. That's the easy 20%. The capability that scales is a tested lifecycle, not a toolchain.
You have ~45 non-human identities per human — and the signals your detection runs on (MFA, impossible travel, login geo) don't exist for any of them.
MFA fatigue has a MITRE technique ID. SOC alert flooding doesn't — same deliberate tactic, different target, and why your defenses keep failing.
ATT&CK coverage % looks good in board decks. Here's why it compounds into a ~6% actual catch rate — and what Threat Detection Coverage actually means.