Security Trends From the 2022 RSA Conference USA
Part 1 – Identity and Access Analytics for Zero Trust and XDR
A lot of vendors are talking about identity being the true perimeter or the “next big thing” to secure. The reality is that identity by itself was always designed to make sure that the right people had right access to the right systems, and not the wrong people didn’t.
However, it’s becoming obvious that there is a disconnect between how identity is primarily associated with access to business infrastructure vs. how security operations teams need to properly monitor and detect inappropriate access. This ability to monitor and detect applies equally to an internal or an external threat actor. By resolving that disconnect, organizations can achieve more effective policies, monitoring, and enforcement of identity-based security policies across applications, networks, and devices.
Who Owns Identity and Why?
Identity has always been part of a user’s IT onboarding process, even before dedicated security teams ever existed. When security teams were first created within an organization, they were often dedicated to watching over the network, Firewalls and VPN. Even anti-virus was usually owned by the desktop or server team under IT. The fundamental ownership of identity through Identity Access Management (IAM) and/or Privileged Access Management (PAM) solutions continue that trend and is generally handled within IT today.
The flaw that exists in this approach is that the identity team are primarily tasked with the role of setting up user identities and using some form of authentication and directory lookups to understand the access rules. Unless a change request occurs for access modifications to a new/existing application or a change in job role occurs, the system is usually “set it and forget it.”
Is Zero Trust the Holy Grail?
Although secure identities are a core component of Zero Trust, the approach is generally focused on tying the whole IT stack to the identity and tightening access controls. Really, this is about adopting a “least privileged access” model, which means users get access to the minimum set of resources needed, based on their role (i.e., identity). So, it is less about network or application access, per se and more about granting a finer grain level of access across the board.
Adopting a Zero Trust architecture also benefits the security operations center (SOC) and Insider Risk/Threat teams as well. Limiting the ability for users’ movement through privileged access policies can potentially help security teams identify access outliers or violations. Unfortunately, these types of security events are often not triggered, and a security analyst must rely on other data sources to manually conclude that they need to investigate access and usage rights, which generally requires support from the broader IT group.
But how do you know you’ve set up your access policies and controls correctly? Trial and error? Red team testing? How do you know if an ex-contractor’s access was never revoked? Did someone on the supplier team tell IT? What if a threat actor stole a bunch of harvested credentials off the dark web? All these unanswered questions can make Zero Trust extraordinarily untrustworthy. Since most small organizations (500 identities and above) already use more than 25 systems of identity, IT and Security Teams are often hard pressed to invest the time and effort to baseline existing access policies. Let alone monitor and secure them.
RSAC and Identity Analytics: Marketers Ruin Everything!
The current crop of Identity Analytics Solutions that were talked about at RSAC 2022, unfortunately, have once again been convoluted by over-ambitious marketing teams. In discussions with various vendors and prospects over the course of 3+ days, it was obvious that most identity, XDR and SIEM vendors have one thing in common: they use the word analytics to represent basic correlation rules. Putting together multiple set of data is not “doing analytics.” Worse, most identity analytics solution claims are based on scraping Active Directory information and claiming “analytics.”
Combining Identity analytics solutions, that interrogate IAM and PAM solutions for access privilege information, roles, entitlements, etc., with solutions (i.e., XDR, NGSIEM, etc.) that monitor user/identity and entity behaviors, network traffic, application, and endpoint (including IoT) analytics, not only provides full observability of your network in preparation for furthering Zero Trust goals, but also enables security teams to determine identity-based threats.
True Identity Analytics and Trained Machine Learning are the future of XDR and NGSIEM
Whether you have an existing SIEM and are looking to accelerate your threat detection capabilities or you’d like to improve your accuracy of detection by adding XDR or are ready to ditch your existing old-gen SIEM to improve your overall security operations, identity is a critical part of the overall puzzle. As IAM and PAM are also evolving to work in multi-cloud environments, your security operations platforms must be fully functional to handle new/existing Zero Trust initiatives and prevent identity-theft based attack campaigns. This isn’t about making marketing claims to appear innovative or adding a checkbox. This is about solving a major security gap that threat actors consistently leverage to thwart defenses and inflict damage on people and organizations for financial gain. Gurucul delivers an integrated Security Analytics and Operations Platform with the broadest depth and breadth of security analytics to accelerate the automation of data collection, detection, investigations and improve the accuracy of response based on a risk-driven approach.
Watch The Webinar
To learn more, watch our webinar.
On Demand Webinar: Identity Analytics as a Cornerstone for Implementing Successful Zero Trust