In our human life, we are used to continuous checks and controls based on what we do every day, our daily behaviors. Imagine a world where a speedometer only periodically displayed how fast you were driving, and there were no police, speed limits, or traffic lights. How safe would the roads be?
The digital streets of the modern enterprise need to be safe as well, and in the realm of identity and access management, the ability to perform real-time checks and detect anomalies is a critical part of ensuring that. But while in our everyday lives, many controls are rule-based and standardized (e.g., speed limit = 50 kph/mph, etc.), this one-size-fits-all does not apply with identity-first security controls. What is the appropriate failed login event threshold alert that works for all of my employees and consultants? What’s the maximum download threshold? What’s a strange combination of SAP transactions?
I think you see my point: rules and rule-based security thresholds do not apply with identity-first security controls, as every user has different business behaviors when using business applications. To make security fit-for-purpose, any enterprise needs to understand what behavioral anomalies—and in what combination—must be detected for security prevention and risk mitigation purposes.
For example, a user accessing a VPN outside of regular business hours may not on its own indicate malicious activity. However, if that user is accessing the VPN at an atypical time while also browsing a folder they would not normally access and downloading a document from SharePoint, those factors taken together are likely a sign that something is amiss. Ask this employee’s manager about this set of behaviours (compared to the employee’s historical habits), and he or she might say, “wow, something is wrong here. I sense the guy is about to resign, and now all these unusual activities, I smell data exfiltration.” By correlating all this information, the organization gains the ability to make smarter decisions about potential threats.
This approach is what I call ‘identity-first, behavioral aware’ security. And it takes a lot of modern machine learning (ML) algorithms to achieve it. If you believe this approach is right because it’s the only cost-effective and pragmatic way to address security threats, then continue reading this article with some pre-canned 2022 New Year’s resolutions that you might want to carry forward as a strategic initiative.
My New Year’s resolutions for a Behavioral Aware Identity-centric Security
- Re-explain User Behavior Analytics and stop calling it User and Entity Behavior Analytics (UEBA).
The ‘UEBA’ term was coined around ten years ago. At that time, machine learning was in its early days, ML models were only supervised, and ML specialists were required to get into the systems and tune the ML model to reduce the number of false positives. Today, unsupervised ML models, graph-based ML, and other advancements in the field have taken Identity-centric Behavioral Analytics (yes, say it like this) to a completely different level.
- Explain to my HR & legal Counsels that behavioral-aware security does not equal productivity controls. Remove the elephant from the room.
For many folks, especially HR and Legal and especially in Europe, the term ‘Behavior Analytics’ generates suspicion. “Are you monitoring employees’ productivity?” The simple answer is “No, sir.”
In the domain of Identity Behavioral analytics, individual behavioral baselines are established for security events (e.g., your typical activity when accessing data folders. Or, personal habits when using certain SAP transactions, and so forth). These baselines are agnostic scores built on historical data (with very short timeframe retention) that say nothing about how productive an employee is. Anomaly detection techniques tell whether there’s a crisp change of habits compared to historical ones, without calling it good or bad.
- Explain to my business counterparts that they are critical for a better security posture.
How often do you hear a “too late” comment after a data breach, fraud, or ransomware attack? Or comments like “Oh, if only we had asked his manager, he probably knew.” With anomaly detection applied to business applications, the business people (e.g., a team manager or a business application owner) can provide practical insights regarding whether any anomalous activities performed by their employees/contractors have business justification or are an early signal of a downstream security situation. Explain to them they will access and use these risk insights inside the User Interface (UI) that makes sense most, the IGA UI they use every day for approving/review/revoking access permission.
- Explain to my Security Operations Center (SoC) techies why I cannot use their SIEM/Log management system.
Ask any SoC/Security guy, and they will immediately say that User Behavior is just a tiny feature of the SIEM platform or service. Now, ask a second question: “Why are so few business applications connected to the SIEM system? And why don’t you don’t generate risk signals that can be managed inside the Business UI of an IGA platform.” There is a 99% probability they will cite “political reasons.” The reality is that the SIEM platform does not speak a language that any business user can understand.
- Build a business case for implementing behavioral-aware identity controls that embraces a max of seven business applications.
Some business applications are more critical than others, making behavioral anomalies related to those programs more significant. For this reason, organizations should adopt a risk-based approach. Let’s monitor behavioral anomalies on just the risk-relevant applications. Pick a maximum of seven. Pick four to five usual suspects (SAP, collaboration software, VPN, Salesforce, etc.) and two or three homegrown applications with a reasonable user log file. Ingest six to nine months of historical data (depends on the application verbosity) to train the identity-centric behavioral platform and get to know the initial habits. By doing so, it will take you less than 8-10 weeks to get your behavioral-aware identity-centric security approach up and running.
With 2022 right around the corner, it is the perfect time for IT and business leaders to think about how their approach to identity and security can evolve to meet the changing needs of their organization. Future-proofing your organization requires putting an emphasis on effectively managing user access, and the more information identity solutions can leverage about user behavior, the more your organization will be able to reduce the risks it will face in the year to come.
About the Author: Andrea Rossi, Sharelock Shareholder & Growth Advisor. Andrea is a Senior Cybersecurity and Identity Management executive. His operating experience includes start-ups as well as large, multi-national corporations as a result of successful company exits. As co-founder of CrossIdeas, he led a team that quickly rose to be a recognized industry leader, resulting in a successful acquisition by the IBM Corporation in 2014.