During the Black Hat USA conference, Gurucul was ‘mad’ about Machine Learning! We presented a new machine learning model every hour. Here’s the model for hour 3.
Gurucul Machine Learning Model: Entitlement Classification
How does the Entitlement Classification machine learning model work, what does it do? This model places evaluated identities with similar entitlement profiles into buckets. Once this is done, you can compare behavioral baselines of these ‘bucketed’ identities and evaluate whether their current behavior is similar or different – to uncover potentially anomalous activity.
The average user identity has more than 100 entitlements. Tagging identities who share similar entitlements helps to baseline normal behaviors for those identities. It’s also critical to know which identities in your company possess the most elevated levels of privileged access.
Entitlement Classification aids in discovering which identities are considered “privileged accounts” based on what access has been granted via entitlements. This model discovers who has privileged access with privileged entitlements that may have been elevated after initial provisioning or which exist within poorly configured COTS applications or unstructured data.
Use Case: Privileged Account Discovery
This is one of many machine learning models used to uncover and prevent privileged access abuse. The first order of business is to discover which identities have privileged entitlements. It also assists in discovering who has privileged access by activity: Are they using the sudo command? Are they logging in as root? Are they installing programs? Are they removing or altering data? Are they administering databases?
Consider the example where a current employee moves over to join the Marketing Team for their company. She is excited to switch roles and careers after toiling for several years in the Accounting Department. The problem occurs when it’s later discovered that this Marketing department employee still has the same access levels to company financial information she regularly used when working as a company accountant. It’s further problematic when examining this user’s recent online access and application activity. She has been utilizing her previous privileged access entitlements from her accounting days to gather information to perform her new role in Marketing. This is a big “NO NO” and is a clear demonstration of privileged access abuse.
Just because a user account has been granted elevated privileges to access certain data and systems does not imply that these privileges should be used. Technology can help uncover these unknowns so they can be remedied.
What are the benefits of Entitlement Classification?
Gurucul Entitlement Classification gives you a complete accounting of who holds an account in your identity systems, and what privileges and entitlements have been assigned to those accounts. You get a definitive list of who really has privileged access, who’s actively using it as well as where and how they’re using it.
Using Entitlement Classification, Gurucul Risk Analytics has helped our customers uncover more than 70% of unknown privileged access in their computing environments. Further, Gurucul Risk Analytics has proven to be a critical component that can help customers decide what identities and accounts to enter into their Privileged Access Management (PAM) solution. Most customer’s find that their inventory of privileged access accounts is incomplete, and that can prove to be a dangerous situation with serious ramifications, including regulatory issues.
Complete the picture with Gurucul behavior based security analytics! Know who’s inside and what they’re actually doing.