Executive Summary
Eighty percent of breaches involve compromised credentials, according to CrowdStrike's 2024 Global Threat Report. The security industry's response has been to strengthen authentication: MFA everywhere, passwordless where possible, continuous authentication at the session level. These are correct and necessary measures.
They are also insufficient.
Authentication answers one question: is this credential valid? It does not answer whether the identity presenting that credential is behaving in a manner causally consistent with legitimate activity. The first question can be answered with cryptography. The second requires a model of identity behavior over time, with causal awareness of what is driving observed actions. That model is what Trust Drift provides.
The Credential Is Not the Identity
Security programs have invested heavily in the premise that protecting the credential protects the identity. Strong password, enforced MFA, appropriate session token TTL, identity is secure.
This premise was always an approximation. In the current threat environment it is catastrophically wrong.
Modern identity-based attacks do not primarily target the credential mechanism. They target the credential itself, stealing it, duplicating it, or impersonating the context in which it is legitimately used. The attacker does not break your authentication. They authenticate.
The attack surface, properly understood, is not the authentication mechanism. It is the identity's behavioral baseline: the pattern of activity that distinguishes legitimate use from adversarial use of valid credentials. When you protect only the mechanism, you leave the baseline entirely undefended.
Baseline vs. Snapshot
Current identity security tools, UEBA platforms, CASB products, identity threat detection and response (ITDR) solutions, measure behavioral anomaly primarily as deviation from a statistical baseline. An identity that typically logs in from Austin at 8:30 AM suddenly authenticating from Frankfurt at 3:00 AM triggers an anomaly alert. This is valuable and widely implemented.
It misses a specific class of attack that modern threat actors have learned to execute with precision.
Rather than making a dramatic change, the attacker using compromised credentials gradually shifts the identity's behavioral pattern over days or weeks. They authenticate during normal business hours from normal locations. They access the same applications the legitimate user accesses. They make small incremental changes: one additional system, one additional dataset, each falling within the normal statistical variance of the baseline.
By the time the attacker is ready to execute their actual objective, they have reshaped the behavioral baseline. Statistical anomaly detection compares current behavior to the evolved baseline and sees normal. The drift was the attack. It went undetected because no system was tracking the direction and cause of baseline evolution, only the distance from it at any given moment.
Trust Drift addresses this by modeling the trajectory of identity behavior, the rate and direction of change, and crucially, the causal antecedents driving that change.
The Causal Structure of Trust
A Trust Drift score is a continuously updated function of four dimensions.
Behavioral consistency measures how closely current activity matches the historical baseline: access patterns, timing, source locations, applications, data volumes.
Peer group alignment compares the identity's behavior to similar identities in the same role and department. Significant deviation from peer group behavior in a specific dimension carries more weight than deviation from personal baseline alone, because it rules out role-specific activity shifts.
Causal antecedents are the dimension that separates Trust Drift from conventional behavioral analytics. An identity accessing a system they do not normally access is a behavioral anomaly. That same access occurring via a causal chain that includes a credential dump event four hours earlier is an entirely different signal. The causal context is what separates an anomaly from an attack.
Temporal dynamics reflect the reality that trust has momentum. An identity in a stable high-trust state does not become low-trust from a single anomalous event. Scores decay and recover gradually, with faster decay weighted toward causally significant events: credential access, authentication failures, lateral movement involvement.
The Hawkes process, a self-exciting temporal point process borrowed from financial risk modeling, provides the mathematical foundation. It captures the intuition that an identity involved in one anomalous causal chain has elevated probability of subsequent anomalous events, not arbitrarily, but because that is the statistical reality of how identity-based attacks unfold.
The Okta Incident Sequence: A Causal Analysis
The 2022 Okta breach, in which an attacker gained access to the support system via a compromised support contractor account, illustrates what Trust Drift analysis would have surfaced.
The contractor account's behavioral history was consistent: specific support tools, business hours, defined geographic access origin, defined data volume per session.
What occurred in the days before detection: the contractor endpoint was compromised via social engineering, and the device began exhibiting anomalous process execution: credential harvesting tooling activity that would register as a low-severity causal event. Trust score delta at this point was small, around -0.08, suspicious device behavior but not conclusive.
Over the following 16-day dwell period, the attacker used the harvested session token intermittently, during business hours, accessing systems within the contractor's normal access profile. Individual accesses fell within normal statistical variance. Trust score remained stable.
On day 16, the attacker began accessing Okta customer case data, within the contractor's technical scope but outside their behavioral baseline for volume and data type. Trust score delta: -0.24, elevated because of the day-one causal antecedent. By day 17, the score dropped below 0.50 and the causal chain connected: device compromise on day one to credential extraction to session token use to anomalous data access. MIXED-grade identity compromise chain.
The compounded causal signal, device compromise as antecedent to behavioral drift, is what statistical anomaly detection alone cannot surface. The device event and the behavioral drift are separated by 16 days and occur on different systems. They are causally linked. That linkage is the detection.
Service Accounts: The Blind Spot Within the Blind Spot
Human identities are increasingly defended. Service accounts remain dramatically underprotected relative to the risk they represent.
Service accounts are often excluded from MFA requirements. They have static, long-lived credentials. They access sensitive systems as part of legitimate workflows. They are difficult to baseline because their behavior is driven by application logic. And they are specifically targeted by ransomware actors because compromising a service account with broad system access provides lateral movement capability with lower detection risk than compromising a heavily monitored human account.
Trust Drift for service accounts focuses on a different behavioral signature. Schedule adherence matters: service accounts should follow predictable timing patterns derived from their application's execution schedule, and access during periods when the application is not expected to be running is high-significance. Scope consistency matters: access to systems outside the application's functional requirements, even if technically authorized, is anomalous. Causal coherence matters: legitimate service account behavior has causal antecedents in application events. Service account behavior that cannot be traced to a legitimate application trigger is highly suspicious.
The 2023 Okta incident involved a service account used as a lateral movement vehicle. The account accessed systems within its technical authorization but outside its behavioral scope. A causal Trust Drift model would have flagged the deviation within hours. The actual detection lag was weeks.
Practical Implementation
Trust Drift is most powerful when integrated directly with access control enforcement, as a real-time enrichment signal at the access decision point rather than a retrospective analysis tool.
Event ingestion comes from the IdP (Okta, Azure AD, Ping), endpoint EDR, application access from CASB, and network from NGFW and proxy. All of these feed the causal event graph.
Trust scores are computed continuously, updated within seconds of new event ingest, ranging from 0.0 to 1.0. Trajectory (rate of change) is computed over 1-hour, 6-hour, and 24-hour windows to capture both fast and slow drift.
At access decision time, the ZT policy engine queries the Trust Drift API for score, trajectory delta, and active causal chain membership. Policy applies step-up authentication or session hold based on threshold. If an identity is a node in an active causal chain, regardless of absolute trust score, this status surfaces as an additional risk signal.
Conclusion
Eighty percent of breaches involving compromised credentials is not a credential problem. It is an identity-behavior-causality problem. The credentials are valid. The authentication succeeds. The breach happens because nothing is tracking the causal trajectory of the identity behind the credential, a trajectory that a stolen credential can never authentically reproduce.
Trust Drift closes this gap. It does not replace authentication. It makes authentication meaningful by anchoring it to a causal understanding of the identity behind the credential.
TRA-CE.ai | Causal Security Intelligence | tra-ce.ai