Endpoint //

Authentication

10/25/2017
02:00 PM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Advanced Analytics + Frictionless Security: What CISOS Need to Know

Advances in analytics technologies promise to make identity management smarter and more transparent to users. But the process is neither straightforward nor easy.

The digital transformation of business processes is forcing CISOs to implement security processes that move at customer speed and reduce friction. This is placing greater strain on access management, because organizations need to protect themselves from account compromise and other digital threats while simultaneously providing a better user experience.

An approach known as adaptive access management can support run-time use cases that address CISOs' security needs while reducing speed bumps for the CIO. Today, advances in analytics involving multiple vendors and technologies are providing the foundation to make this possible by enabling real-time automated decision-making that doesn't require human intervention.

For example, an organization could monitor user access and activity in real time to capture and forward attributes, such as how a person holds his or her phone, device configuration, or apps used most frequently, into a risk engine. As described in a recent Wall Street Journal post, machine learning analytics create an individual risk score for each user. When actions deviate significantly from each user's baseline normal behavior, the risk score is increased. When risk thresholds are exceeded, the app may restrict access to certain functions or request another form of authentication before allowing the user to proceed.

Traditional approaches to adaptive access control were based on static roles and rules. These were created and maintained by security administrators, which resulted in a lag between a threat being identified and when a new rule was deployed. The emergence of machine learning techniques produces greater automation since more factors can be used to detect new threats with less human effort and reduced time frames.

Deploying adaptive access management and automated security responses that are dramatically smarter and more agile is neither straightforward nor easy. Let's consider six different implementations of analytics that are required to reduce security "friction."

Implementation 1: Risk Scoring
Adaptive access management requires a large number of factors be assessed together rather than individually. This is important because high risk in one factor can be compensated by another. Let's say a company's business partner makes an access request from a country where they don't operate. This may indicate a high risk. However, an access request from a longtime business partner in a fast-growing company that is opening up a new office in a new country may be low-risk. Under these circumstances, the country risk is contextual, not absolute. Making sophisticated access management decisions requires using an overall risk score to mediate conflicts.

Implementation 2: Behavior Analytics
By ingesting and monitoring activity data (typically logs from different sources) of a user's behavior, and following several weeks of training, behavior analytics can determine in real time whether an access request is normal. This form of analytics can identify when a user's credentials have been compromised, so access can be revoked in real time before damage occurs.

Implementation 3: Anomaly Detection
Analytics that use machine learning can identify when actions deviate from what is normal or expected. Traditionally, anomaly detection processes have created large numbers of false positives. Advanced analytics, meanwhile, can greatly reduce these.

Implementation 4: Dynamic Peer-Group Analysis
Analytics and machine learning can generate and use dynamically generated peer groups to further refine the analysis of what is normal and abnormal behavior to reduce false positives. If a new group member performs a sensitive action for the first time, it might be flagged as high risk. However, if other group members regularly perform the action, then it would not be considered high risk, even if it represents an anomaly for that specific user.

Implementation 5: Continuous Monitoring
The use of analytics enables more actions to be monitored, analyzed, and acted upon without long delays and a lot of false positives. This makes it possible to both evaluate risk at the initial time that access is requested and continue to monitor it for the entire length of a session. If an authorized user, for example, accesses an application and leaves to get coffee, this valid session could be hijacked.

Implementation 6: Predictive Analytics
Analytics can also be used to predict future events and recommend how an access management system should operate. For example, predictive analytics could determine that an authentication attempt from an IP address associated with past fraud events will likely be involved in new fraud attempts. The session could be flagged as higher risk for closer monitoring, or if other risk factors were present, be terminated.

Advances in analytics promise to make security smarter and more transparent to users. The challenge for CISOs is stitching together the systems needed to both gather the big data to make analytics-based decisions and implement the appropriate adaptive responses.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

 

 

 

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1067
PUBLISHED: 2018-05-21
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is ...
CVE-2018-7268
PUBLISHED: 2018-05-21
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information suc...
CVE-2018-11092
PUBLISHED: 2018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
CVE-2018-11096
PUBLISHED: 2018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
CVE-2018-11320
PUBLISHED: 2018-05-21
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.