Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

10/25/2017
02:00 PM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Advanced Analytics + Frictionless Security: What CISOS Need to Know

Advances in analytics technologies promise to make identity management smarter and more transparent to users. But the process is neither straightforward nor easy.

The digital transformation of business processes is forcing CISOs to implement security processes that move at customer speed and reduce friction. This is placing greater strain on access management, because organizations need to protect themselves from account compromise and other digital threats while simultaneously providing a better user experience.

An approach known as adaptive access management can support run-time use cases that address CISOs' security needs while reducing speed bumps for the CIO. Today, advances in analytics involving multiple vendors and technologies are providing the foundation to make this possible by enabling real-time automated decision-making that doesn't require human intervention.

For example, an organization could monitor user access and activity in real time to capture and forward attributes, such as how a person holds his or her phone, device configuration, or apps used most frequently, into a risk engine. As described in a recent Wall Street Journal post, machine learning analytics create an individual risk score for each user. When actions deviate significantly from each user's baseline normal behavior, the risk score is increased. When risk thresholds are exceeded, the app may restrict access to certain functions or request another form of authentication before allowing the user to proceed.

Traditional approaches to adaptive access control were based on static roles and rules. These were created and maintained by security administrators, which resulted in a lag between a threat being identified and when a new rule was deployed. The emergence of machine learning techniques produces greater automation since more factors can be used to detect new threats with less human effort and reduced time frames.

Deploying adaptive access management and automated security responses that are dramatically smarter and more agile is neither straightforward nor easy. Let's consider six different implementations of analytics that are required to reduce security "friction."

Implementation 1: Risk Scoring
Adaptive access management requires a large number of factors be assessed together rather than individually. This is important because high risk in one factor can be compensated by another. Let's say a company's business partner makes an access request from a country where they don't operate. This may indicate a high risk. However, an access request from a longtime business partner in a fast-growing company that is opening up a new office in a new country may be low-risk. Under these circumstances, the country risk is contextual, not absolute. Making sophisticated access management decisions requires using an overall risk score to mediate conflicts.

Implementation 2: Behavior Analytics
By ingesting and monitoring activity data (typically logs from different sources) of a user's behavior, and following several weeks of training, behavior analytics can determine in real time whether an access request is normal. This form of analytics can identify when a user's credentials have been compromised, so access can be revoked in real time before damage occurs.

Implementation 3: Anomaly Detection
Analytics that use machine learning can identify when actions deviate from what is normal or expected. Traditionally, anomaly detection processes have created large numbers of false positives. Advanced analytics, meanwhile, can greatly reduce these.

Implementation 4: Dynamic Peer-Group Analysis
Analytics and machine learning can generate and use dynamically generated peer groups to further refine the analysis of what is normal and abnormal behavior to reduce false positives. If a new group member performs a sensitive action for the first time, it might be flagged as high risk. However, if other group members regularly perform the action, then it would not be considered high risk, even if it represents an anomaly for that specific user.

Implementation 5: Continuous Monitoring
The use of analytics enables more actions to be monitored, analyzed, and acted upon without long delays and a lot of false positives. This makes it possible to both evaluate risk at the initial time that access is requested and continue to monitor it for the entire length of a session. If an authorized user, for example, accesses an application and leaves to get coffee, this valid session could be hijacked.

Implementation 6: Predictive Analytics
Analytics can also be used to predict future events and recommend how an access management system should operate. For example, predictive analytics could determine that an authentication attempt from an IP address associated with past fraud events will likely be involved in new fraud attempts. The session could be flagged as higher risk for closer monitoring, or if other risk factors were present, be terminated.

Advances in analytics promise to make security smarter and more transparent to users. The challenge for CISOs is stitching together the systems needed to both gather the big data to make analytics-based decisions and implement the appropriate adaptive responses.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

 

 

 

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22861
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted ...
CVE-2021-22862
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of ...
CVE-2021-22863
PUBLISHED: 2021-03-03
An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would b...
CVE-2020-10519
PUBLISHED: 2021-03-03
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the Gi...
CVE-2021-21353
PUBLISHED: 2021-03-03
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was p...