This is the 2nd entry in our 3-post series, "Identity is the New Perimeter—So Why Are We Still Burying It in Logs?"
-----
In today’s breach landscape, identity isn’t a gate—it’s a weapon. Attackers don’t need to break down doors; they’re walking right in with valid credentials. Once inside, they look just like your workforce… until they don’t. The only way to catch them is by detecting subtle changes in behavior. And that’s exactly what our current stack is failing at.
Think about this: if a user logs in from a new location, disables MFA, downloads a trove of data from an unusual app, and then spins up access to an adjacent system—that should set off sirens, right? But in most environments, those events are spread across five log sources and 15 minutes of SIEM lag.
Behavioral analysis flips that model. It assumes the attacker has credentials and starts with the question: “Is this normal for this identity?” It’s not about whether the login succeeded. It’s about whether the pattern of activity fits established baselines.
This approach demands a real-time, identity-centric view of the world—not a retroactive look through generic logs.
IAM vendors have had years—decades really—to move beyond access control. However, their focus has remained on optimizing authentication mechanics: password resets, MFA policies, token issuance. They’ve built various user experience and compliance features, but not threat detection.
Even when these platforms offer “risk-based” access or “adaptive” policies, they’re mostly checking point-in-time risk factors: device type, IP, or velocity. That’s not behavioral. That’s basic hygiene. And they’re charging premiums for it.
The real threat is in the sequence of identity activity—how users behave over time. IAM platforms are not capturing or correlating this context. They mint the token and walk away.
SIEM platforms were never meant to be behavioral engines. They don’t maintain memory of how a user normally operates, and they don’t understand context. And they definitely can’t stitch together five seemingly benign identity events and say, “something’s off here.”
Worse, they rely on rigid rules or post-hoc analysis to surface threats—by which time, the attacker has already moved laterally, exfiltrated data, or created persistent backdoors.
Bottom line: You can’t detect a modern identity threat by looking at static, siloed events. You need a behavioral layer built specifically for identity.
-----
In PART 1, we explain how SIEMs miss modern threats by treating identity activity as basic logs, allowing attackers using valid credentials to go undetected. Identity signals get lost in the noise, and by the time they’re analyzed, it’s often too late to stop the attack.
In PART 3, we look at what the future of identity security really looks like—and why organizations need to treat identity signals as first-class threat intel, rather than be lulled into more log fodder.