San Diego weather, great food, and spending time with leading architects and innovators made for a few good days at Gartner Catalyst, here are our highlights from attending the event.
- Sense, Adapt and Scale was the keynote theme. Sense with big data, cloud and machine learning, plus store for value. Using analytics, adapt by reacting, predicting and ultimately prescribing. Scale is about enabling sense and adapt functions in all places, mainly adopting a cloud first strategy. Prepare to manage millions of edge devices and identities to enable a digital business disruptor strategy with closed loop operations.
- Insider threat survey results informed us that manufacturing was the top industry, 62% of insiders remain employed to steal more data, while 29% depart to stream into new jobs. Just over half surveyed noted having one or more insider threat incidents and by show of hand in the session, ~1/3 prioritize insider threats. While the topic is distasteful for many companies, 55% have some type of insider threat program where IT is most likely to own and manage it.
- So what works for insider threats? Well, zero reported DLP working for insider threats, top controls were access monitoring, email and endpoint with internal audit and log review being beneficial. Five key elements for insider threat were UEBA, people centric (self audit, educate, deter) and data centric (DRM, DCAP) security programs, plus formalizing controls and processes, locating and classifying sensitive data and remembering to cover sabotage.
- Identity Analytics (IdA) was noted as the third phase of IAM as discovery remains an open issue. Identity is the new perimeter and attack vector. Who has access, and what are they doing with it has been a known gap for IAM. Identity analytics is a new solution to mind this gap creating IAM + IdA as a solution set. IAM has evolved through user account provisioning in the mid-1990s into identity access and governance mainly due to SOX in the early 2000s, and is now entering into a risk-based identity analytics phase.
- So what makes up Identity Analytics and what are the benefits? IdA requires: data mining, identity correlation, behavior and data analytics, risk scoring, data presentation, continuous monitoring and alerting. Benefits include: removing the rubber stamp, reducing risk and cleaning up access, enhancing access requests with risk scoring, account clean-up and new roles based on behavior analytics, and monitoring users to see who has become privileged by entitlements, sharing accounts, etc. Also closed loop remediation via API. Identity analytics has been missing from security analytics and is now emerging, Gurucul was noted as an IdA vendor in the sweet spot leveraging its UEBA architecture of big data and machine learning models.
- The event booth perspective from conversations noted many are deploying their own data lakes for machine learning and wanted to validate we did not license on data volume, appears the high fees for indexing data in SIEMs is an issue. Worst case described to us was loading up long term data into a SIEM and downloading cloud tail logs, thus paying high fees for cloud to on-premises data transfer and indexing fees…ouch! For the record we license by identity, store all the data you desire, the context of big data is what machine learning desires and is our future.
- Hybrid environments will need UEBA, IdA and Cloud Security Analytics and this leads to a platform architecture. Mini-features within silo’d solutions lack the context of big data for accuracy in machine learning models. Having disconnected UEBA, IdA and Cloud Security Analytics covers the check box feature list, however lacks the 360-degree visibility of identity, accounts, access and activity. One question brings this to the surface – how can privilege access abuse be detected if you do not know where privilege access resides (accounts, entitlements)?
One theme from the start of the conference to end was identity and the role it plays for security, scale and digital disruption, whether for business advantage or those that attack us.