Account compromise and privileged access abuse have emerged as the root cause of most of today’s data breaches. According to Cybersecurity Insider’s Insider Threat Report, 63% of organizations think that privileged IT users pose the biggest insider security risk. .
Criminals use basic phishing and social engineering tactics to easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of an organization. Hybrid environments spanning on-premises and cloud networks often make matters worse by creating a blind spot that makes it difficult to detect account compromise threats.
The reason is that “identity” is a plane with two sides. One side of the plane is loaded with access risks created by legacy identity management rules and processes. The other side is susceptible to compromise, data exfiltration, and malicious insiders.
Access risks stem from excess accounts and privileges, access sprawl, orphan accounts, dormant accounts, and shared privileged access accounts. The sheer numbers of these accounts make them virtually impossible to manage with manual processes and legacy identity management rules. When you factor in access for revolving employees, contractors and partners, the situation becomes even more complicated. And remember, time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months. According to the Ponemon Institute, it takes US companies an average of 206 days to detect a data breach.
However, ask most security operations center analysts responsible for threat detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed by a different group than security operations.
Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area. Meanwhile, monitoring access and activity associated with legitimate identities can expose unknown threats.
Here are a couple of examples that illustrate the scope of these challenges.
Let’s start with the access side of identity. Say a department manager has 100 employees reporting to him. To keep it simple, we’ll assume that each employee has 10 user accounts and each account has 10 privileges. That equals 10,000 entitlements (although in reality these numbers are usually much higher). These could be on-premise and/or cloud accounts — and likely are both. Every 90 days, for regulatory compliance reporting, the manager must review these entitlements. Then he must approve or revoke them for each employee based on their job functions. Meanwhile, some IT managers may have privileged access accounts with a simple password shared amongst employees – so it’s not possible to tell who is using the account and when.
On the threat side of identity, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity appears “normal” at first look.
In addition to these challenges, cloud and mobility continue to erode the last remnants of the traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the IT kingdom.
So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have limited visibility into cloud apps. That functionality is provided by cloud access security brokers (CASB). An API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users.
Addressing the cloud and data center security gap requires many data sources. Gathering on-premises and cloud data and activity can be achieved with log event management or SIEM plus CASB solutions as data sources. Meanwhile, identity, account and privilege data can be extracted from IAM products.
The volume of access and activity data generated by users is now massive and still growing. A big data infrastructure is required to harness it all. Making sense of these enormous data volumes and analyzing the context to identify access risks and behavior anomalies is a data science challenge that Gurucul is addressing with our Identity Analytics product.
Gurucul Identity Analytics surpasses the capabilities of human employees by leveraging machine learning models to define, review and confirm accounts and entitlements for access. It uses dynamic risk scores and advanced analytics data as key indicators for provisioning, de-provisioning, authentication, and privileged access management.
According to one of our customers, Gurucul Identity Management resulted in a 50% reduction in privileged access risk. We think it can do the same for you.
Download our whitepaper Identity Analytics Use Cases to learn more.