Identity is the “2015 Word of the Year” based on Dictionary.com analysis of the most robust areas of language evolution and based on user interest and look-ups for the year. One of the prominent themes about identity they did not cover was identity as a threat plane. The compromise or misuse of identity is often at the root of modern threats. Add in the perspective that cloud apps are diminishing perimeters and mobility provides access via networks out of our control points, and identity becomes a new perimeter.
Identity enables insider threats and its compromise provides access to outsiders. Most security teams look at identity and access as a light switch, once ON you are in the network they control. Besides identity misuse and compromise, the area is often poorly managed with excess access, shared high privilege accounts, inaccurate and verbose peer groups, legacy rules with manual processes, not to mention orphan and dormant accounts. Most security analysts are focused downstream with detection and response efforts looking to map IP addresses to users and missing identity as a threat plane to manage and monitor. Even more important is looking at identity for on-premises and cloud apps from a single pane of glass perspective.
The misuse and compromise of identity evades traditional preventive defenses. Poorly managing identity and access opens the threat plane to phishing attacks, key loggers and social engineering to compromise credentials. Misuse and compromise can go undetected for weeks or months with traditional detective defenses overwhelmed by data volume, velocity and variety. Pulling loose threads to investigate does not address the scale or timeliness required to solve the problem.
What makes identity addressable as a threat plane is the ability to detect anomalies with user behavior analytics and then apply predictive risk scoring to focus ‘find / fix’ resources. Cluster machine learning algorithms leveraging dynamic peer groups enable more accurate detection of outliers in behavior patterns. In simple terms, you model good behavior to detect unknown bad. However, this is well beyond rules and what humans can analyze via queries and filters. Over 200 attributes are analyzed over weeks and months to develop baseline behavior patterns with nuances humans and traditional software engineering cannot easily recognize. Call it data science for data volume that is force multiplier to make security teams more efficient and effective.
While machine learning is a new concept for looking at identity as a threat plane, we are surrounded by machine learning in our daily lives. From voice recognition in smart phones, maps that detect traffic congestion and accidents, smart traffic signals and cities, to the development of autonomous driving vehicles. Machine learning and the data science behind it are changing the way we look at identity, risk-based access, misuse and compromise. To be successful, a hybrid behavior analytics architecture is required that spans on-premises and cloud for identity access intelligence and user behavior analytics. Yes, identity is the word of the year.