Unlocking its full potential requires closed-loop responses
Leslie K. Lambert
CSO | Feb 14, 2017
Risk scoring is not an end in itself once it shows up color coded and normalized between 0 and 100 in a security operations center (SOC) dashboard. To provide real value it must be supplemented by a closed-loop response process that can automate defensive measures or responses with little or no human intervention.
So, what is a closed-loop response process? One example involves implementing ‘step-up authentication’ where individual risk scores are leveraged. If a user has a high risk score from a behavior analytics solution, perhaps they are presented with three authentication challenges, if their risk score is low, only one challenge.
This method can make multi-factor authentication (MFA) more acceptable to users. It also raises security awareness among high-risk users, especially those with privileged access credentials. In some advanced deployments, passwords are not required when the behavior analytics risk score is low and the user identity and device profile is assured, thus removing friction for the business process.
How does it work? One effective method is to use machine learning to generate behavior analytics to determine risk scores for individual users and entities. For maximum value, the risk scoring should come from both access and activity data sources versus simple field validations and ranges. Providing the risk scores requires an API layer supporting bi-directional integration between complementary security solutions such as the MFA example above.
There are obstacles however. What if the desired security, access or business application does not have an API for bi-directional integration? This is a key factor, since this model requires the integration of multiple sources of information to produce valid risk scores. It’s critical to bi-directionally share risk scores, data and desired automated response actions between solutions to detect unknown threats, reduce access risk and improve processes.
For example, IAM systems are central to managing identities, accounts and privileges for users and groups. As such, they provide a critical data source for producing identity analytics which enable a risk-based approach for access certifications, requests and approvals. This eliminates rubber stamping of certifications and access cloning, which inevitably results in fewer unnecessary privileges and lowers access risk.
The closed loop deployment of identity analytics with IAM solutions via bi-directional API enables the following. First, the IAM solution is a data source for the behavior analytics solution to produce identity analytics (or identity access intelligence) to reduce excess access and access risks, as noted above. Second, the behavior analytics solution can monitor the IAM solution to detect access outliers to invoke an access certification request from the account owner. If the access is revoked, the IAM system removes the access and notifies the behavior analytics solution so the risk is removed and risk re-scoring processes begin.
Beyond access outlier remediation is the concept of dynamic access provisioning where a low risk score enables an access request to be provisioned without human approval cycles. This can speed up business process workflows. In fact, some enterprises have been able to eliminate human review and approval for more than one-third of access requests using this closed-loop risk scoring approach.
However, all these examples require bi-directional API integration. This open API concept is often called the ‘democratization of data’ and the future of using analytics for security requires it.
My best practice recommendations are to inventory your current solutions to gain an understanding of the output data they produce. This will help determine whether machine learning can be applied in order to assess risk and score activity. Data that is maintained in silos with limited or no access will impede both the success and use cases for risk scoring and closed-loop responses.
Next, inventory all APIs to verify where bi-directional API integrations for desired closed-loop response deployments are available, and then where risk scores can determine policy actions between systems. More simply put, the magic happens when you can provide the most valuable source data for behavior analytics to drive risk scoring. And where upstream systems can leverage scores to reduce risk and eliminate manual processes. That is a beautiful two-way street.