Using Observability to Power a Smarter Cybersecurity Strategy

With an infrastructure for observability, security teams can make better decisions about access and identity-based threats.

Dan Conrad, AD Security and Management Team Lead, One Identity

March 29, 2023

5 Min Read
Person's hand with a digital eye hovering over it
Source: Skorzewiak via Alamy Stock Photo

When it comes to security, you can't protect what you can't see. That's why organizations that can visualize and understand their data are in a much better position to thwart cyberattacks and breaches. Observability is the best way for businesses to change how they detect and remediate cyberattacks — so much so that the observability market is expected to reach $2 billion by 2026.

While observability isn't a mainline discussion in the identity security space, it's an essential piece of the puzzle, shining a light on the attack surface that allows teams to identify and prevent breaches. By layering observability with identity management, security teams have access to more data on identity-based threats, and fewer silos to break down as they race to identify and prevent attacks.

Observability's Role in the Threat Landscape

Observability enables organizations to fully see, understand, and manage their systems. For example, data observability gives business leaders a clear picture of the data they have, where it's stored, and who has access. It lets teams know if their systems, servers, and applications are functioning properly and can identify downtime or vulnerabilities. A recent report found that the most sophisticated observability practitioners cut downtime costs by 90%, to $2.5 million versus $23.8 million, for observability beginners.

This is especially true when it comes to managing the identity attack surface. The sprawl of applications and systems employees are connected to is increasing exponentially, and security teams need specific information in order to determine which kinds of access are legitimate and which are risky. By getting full visibility into these systems, teams can track metrics about access over time and set clearer policies.

Establishing a Baseline of Normal

Observability not only helps to establish a baseline of "normal behavior," but helps identity and access management (IAM) systems use data to make valuable decisions that protect business operations and directly contribute to positive business outcomes. This strategy, known as behavior-driven governance, takes granular data about how people actually use their identities and access privileges, rather than what a business assumes they're doing.

Three types of data matter the most in setting a baseline:

  • Metrics: Quantifying performance, including key performance indicators (KPIs) such as response time, error rates, alerts, etc.

  • Traces: Allowing IT teams to locate the source of an alert (i.e., which part of a login process is vulnerable to bugs)

  • Logs: Answering the who, what, where, when, and how of access activities with contextual event information

For example, a security team using observability could monitor certain metrics, such as when employees sign in and sign out of a system, their location and their keystrokes, then look at the data over a 60- or 90-day period to form a baseline for "normal" utilization. If a log shows that an employee has access to 15 applications and only uses five on a regular basis, the team can revoke access to the unused apps to minimize risk.

If the company only has US employees and North American suppliers, and there's a login attempt from Singapore, it's easier to log that as a red flag and investigate. Better observability into data and the patterns associated with it can help businesses detect potential breaches quickly and efficiently.

To get the most out of observability, these three types of data should be used together to gain an overall understanding of the identities a business manages.

Third-Party Observability

Data observability should be built into systems; often it is, but its context changes as customers request different capabilities. For example, if customers want authentication-as-a-service, and choose to plug in an authentication module and let a third party handle that, they surrender their observability to the third party to some degree. These customers won't have access to performance metrics around the app's authentication modules, and they might not know what baseline behavior actually looks like unless they ask that third party for granular details.

Regardless of how much a security team builds versus buys its identity security infrastructure, it must make sure observability is built in from the start. Take Netflix as an example: At the beginning of the year, the company embarked on a plan to crack down on password sharing to stop users from accessing the app from devices not associated with their home network. While the company quickly walked back that plan amid user backlash, the original idea provides an interesting case study for how to use observability for identity security. To set identity management policy that is accurate, Netflix would have needed to be able to process, visualize, and get full observability into user data — everything from where users log in most to what time of day they're most likely to watch.

So, what can we take away from this example? How can businesses set up a data-first observability framework to use this data and set accurate policies? I'd suggest that all enterprises need to follow these best practices when it comes to setting up a data-first observability approach to security:

  • Key observability metrics based on organizational business priorities

  • Executive buy in to, and organization-wide education on, a culture of observability, data access, and governance

  • A pipeline to centralize and standardize data sources (like metrics, logs, and traces) that can be used to identify baseline and "abnormal" behavior

  • Analytics tools and automated processes (like RPA software bots) that can sort through the noise of alerts

Businesses already have much of the data they need on identity management. By implementing an infrastructure for observability, security teams can break through the noise and make better decisions about access and identity-based threats.

About the Author(s)

Dan Conrad

AD Security and Management Team Lead, One Identity

Dan Conrad is Federal CTO for Quest Software/One Identity. He has been with One Identity/Quest Software since 2007, where his roles have included Systems Consultant and a Solutions Architect for Compliance Solutions as well as Identity and Access Management Specialist. He retired from the USAF in 2004 and returned to government IT as a contractor where his primary focus was Active Directory design, migration, and sustainment. He holds many certifications, the highlights include CISSP, MCITP, and MCSE/MCSA.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights