Endpoint //

Authentication

10/25/2017
02:00 PM
Saryu Nayyar
Saryu Nayyar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Advanced Analytics + Frictionless Security: What CISOS Need to Know

Advances in analytics technologies promise to make identity management smarter and more transparent to users. But the process is neither straightforward nor easy.

The digital transformation of business processes is forcing CISOs to implement security processes that move at customer speed and reduce friction. This is placing greater strain on access management, because organizations need to protect themselves from account compromise and other digital threats while simultaneously providing a better user experience.

An approach known as adaptive access management can support run-time use cases that address CISOs' security needs while reducing speed bumps for the CIO. Today, advances in analytics involving multiple vendors and technologies are providing the foundation to make this possible by enabling real-time automated decision-making that doesn't require human intervention.

For example, an organization could monitor user access and activity in real time to capture and forward attributes, such as how a person holds his or her phone, device configuration, or apps used most frequently, into a risk engine. As described in a recent Wall Street Journal post, machine learning analytics create an individual risk score for each user. When actions deviate significantly from each user's baseline normal behavior, the risk score is increased. When risk thresholds are exceeded, the app may restrict access to certain functions or request another form of authentication before allowing the user to proceed.

Traditional approaches to adaptive access control were based on static roles and rules. These were created and maintained by security administrators, which resulted in a lag between a threat being identified and when a new rule was deployed. The emergence of machine learning techniques produces greater automation since more factors can be used to detect new threats with less human effort and reduced time frames.

Deploying adaptive access management and automated security responses that are dramatically smarter and more agile is neither straightforward nor easy. Let's consider six different implementations of analytics that are required to reduce security "friction."

Implementation 1: Risk Scoring
Adaptive access management requires a large number of factors be assessed together rather than individually. This is important because high risk in one factor can be compensated by another. Let's say a company's business partner makes an access request from a country where they don't operate. This may indicate a high risk. However, an access request from a longtime business partner in a fast-growing company that is opening up a new office in a new country may be low-risk. Under these circumstances, the country risk is contextual, not absolute. Making sophisticated access management decisions requires using an overall risk score to mediate conflicts.

Implementation 2: Behavior Analytics
By ingesting and monitoring activity data (typically logs from different sources) of a user's behavior, and following several weeks of training, behavior analytics can determine in real time whether an access request is normal. This form of analytics can identify when a user's credentials have been compromised, so access can be revoked in real time before damage occurs.

Implementation 3: Anomaly Detection
Analytics that use machine learning can identify when actions deviate from what is normal or expected. Traditionally, anomaly detection processes have created large numbers of false positives. Advanced analytics, meanwhile, can greatly reduce these.

Implementation 4: Dynamic Peer-Group Analysis
Analytics and machine learning can generate and use dynamically generated peer groups to further refine the analysis of what is normal and abnormal behavior to reduce false positives. If a new group member performs a sensitive action for the first time, it might be flagged as high risk. However, if other group members regularly perform the action, then it would not be considered high risk, even if it represents an anomaly for that specific user.

Implementation 5: Continuous Monitoring
The use of analytics enables more actions to be monitored, analyzed, and acted upon without long delays and a lot of false positives. This makes it possible to both evaluate risk at the initial time that access is requested and continue to monitor it for the entire length of a session. If an authorized user, for example, accesses an application and leaves to get coffee, this valid session could be hijacked.

Implementation 6: Predictive Analytics
Analytics can also be used to predict future events and recommend how an access management system should operate. For example, predictive analytics could determine that an authentication attempt from an IP address associated with past fraud events will likely be involved in new fraud attempts. The session could be flagged as higher risk for closer monitoring, or if other risk factors were present, be terminated.

Advances in analytics promise to make security smarter and more transparent to users. The challenge for CISOs is stitching together the systems needed to both gather the big data to make analytics-based decisions and implement the appropriate adaptive responses.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

 

 

 

Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Prior to founding Gurucul, Saryu was a founding member of Vaau, an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.