The new firewall: How identity powers real-time cyber defence

Identity is now the frontline of cyber defence. This article explains why static credentials and MFA alone aren’t enough, and how organisations can use real-time behavioural signals, adaptive controls, and a readiness checklist to detect and respond to threats, protecting critical data without disrupting business operations.

View Webinar:

How to Implement Adaptive Identity Protection

1. Extend identity verification beyond login, monitor user behaviour throughout each session.

2. Use real-time risk scoring to detect anomalies and escalate authentication as needed.

3. Implement adaptive controls: step-up MFA, granular restrictions, and session termination for high-risk activity.

4. Ensure SSO coverage, comprehensive MFA, and robust directory hygiene.

5. Centralize logging and correlate identity, device, and network signals in your SIEM/SOC.

For a decade we’ve heard that identity management is the new perimeter.

Despite this, however, many identity uplift programs still fixate on the front door - credentials, single sign-on, and a multi-factor authentication challenge at login. Once inside, users are able to roam across applications with minimal scrutiny, and that’s a blind spot attackers can exploit.

This webinar presented Thales Cyber Services specialists Shelley Godden, Director – Digital Identity, and Kevin Caballero, Principal DFIR Consultant, highlights why this attitude has to shift and why identity and access management needs to be viewed as a continuous process, not a single checkpoint.

Verification shouldn’t end at authentication - it should be maintained across a user’s entire session.

Behaviour over credentials

Static credentials prove who you were at login but online behaviour shows who you are right now.

Modern identity stacks baseline each user’s ‘rhythm’ and compare live activity against that nor, measuring factors like:

• User velocity (e.g. from Sydney to New York in five minutes)

• Human vs bot interaction patterns

• Device, timing and app paths (which device, when, where, and in what order)

• Fine-grained signals such as typing cadence on supported platforms

These signals feed a dynamic risk score that updates in real time.

For example, Jane usually signs in from Canberra 9–5 and accesses payroll. However, a 3am login from Eastern Europe that sprints across multiple apps and bulk-downloads HR data looks nothing like Jane’s profile, even if the same credentials were used to login. Therefore, the system should escalate risk immediately.

Real-time risk scoring and adaptive response

When risk climbs mid-session, waiting for an analyst to notice a log takes too long. That is why automated, risk-based responses are best practice.

Automation serves to:

• Step-up authentication (re-prompt for MFA)

• Introduce granular restrictions (limit movement to sensitive systems)

• Result in session termination for high-risk behaviour

If done well, taking such an approach serves to improve user experience, with interventions occurring only when behaviour deviates.

Session token theft: Why MFA alone isn’t enough

As noted by Kevin: “threat actors don’t break in - they log in”.

Over half of incidents now involve MFA bypass or account takeover, frequently via adversary-in-the-middle. This can occur in the form of a phishing proxy that mirrors the real login, intercepts credentials and MFA, then harvests the session token so whoever holds it is the user, or through malware delivered as ‘fake updates’ that drop scripts to exfiltrate stored credentials and tokens from the endpoint.

Practical detection mechanisms that flag risks include multiple IP addresses tied to the same session ID suggesting replay, and statistical anomalies in login timing, device profile, or geography.

What good looks like: Foundations come first

You can’t unlock adaptive protection without solid plumbing. To help guide organisations to ‘good’, Shelley has developed a readiness checklist.

In includes:

• SSO coverage across cloud and on-premise systems so sessions can be observed end-to-end

• Comprehensive MFA, not just at the initial login, and phishing-resistant methods where feasible

• Directory hygiene and robust joiner/mover/leaver processes across employees, contractors and suppliers

• Centralised logging into SIEM/SOC so identity, device and network signals correlate

• Conditional access that re-evaluates mid-session

Building the story for analysts

Static alert severities drown SOCs, so Kevin’s approach is to aggregate identity signals, device posture, and detections into a composite risk score that surfaces coherent stories instead of single-event noise.

For investigations, session IDs can be useful to track threat actor activities in a compromised session. It allows analysts to scope the impact beyond the initial access and be in a position to respond decisively. Will risk-based alerting add noise? At first, yes. It's not a replacement for good detection engineering practices. However, it should also incentivize continuous improvements to ensure the right signals are being surfaced up for timely triage and response.

The takeaway

Identity isn’t just governance and compliance. It’s part of real-time cyber defence.

With strong foundations and adaptive controls, organisations can detect token theft, blunt lateral movement, cut attacker dwell time and protect critical data. And they can achieve this business grinding to a halt.