Earlier this month we sponsored Oktane19, Okta’s annual user conference. If you’ve never attended, it’s one of the more compelling conferences because they put on an excellent show. They have celebrated speakers, a well-organized exhibit hall, product training sessions and high end entertainment. We were happy to be there to showcase our security analytics integration with Okta.
Risk Based Authentication
Our integration with Okta facilitates risk based authentication. This was a big theme at Oktane19, and something Gurucul has been offering for years. We calculate a real-time risk score based on user outlier behavior percentage, resident user risk and reputation, and data or transaction risk classification. We pass this score to Okta, which can then be used to make real-time authentication and access decisions, while simplifying the user experience and enhancing security.
For example, if a user with a low-risk reputation initiates an application session from a usual location with a known device, the run-time risk score would be low risk. As a trusted user, access would be granted without requiring a password. If the same user then begins accessing unusual information or conducting anomalous transactions (i.e., foreign funds transfer to several accounts not seen before), these are abnormal behaviors for the user. The real-time risk score would increase, potentially to high risk, which would require multi-factor authentication or the account might be suspended. If the user is medium risk, the application could actively limit available functionality and data.
It Takes a Village, or Rather a Symphony
At one of the keynotes, Chuck Fontana, VP Corporate & Business Development, equated running the Okta Integration Network with conducting a symphony. Specifically, he was talking about the launch of the new Apps for Good program within the Okta for Good campaign. Apps for Good are pre-built, easily-configured integrations that make it easier than ever for companies and employees to donate time, money, expertise, and more.
It’s a wonderful program. Chuck’s pitch was that we could do more good with more people taking more action. And, the Apps for Good program makes it easy for Otka customers, employees and partners to take giving action. That’s when he said, you know what we really need? “More cowbell, baby!” He was referring to the need for everyone in the audience to chime in and take action. His Okta Integration Network needs more cowbell for Apps for Good. That got us thinking… how can we apply this to security analytics?
Sometimes, More is Better
We’ve all heard the saying, “Less is more.” This is appropriate in many circumstances. Less talking during a movie is better. Less words in a sentence is optimal. Definitely less stress in a work day is essential. And, less dialogue in an action movie is better.
When it comes to data about users and entities, however, more is infinitely better. When you’re trying to establish whether a person or entity is behaving badly, the more data you have about what users and entities are doing, when, where and with what entitlements, the more successful you will be at deciphering bad behavior from anomalous behavior. And, that is the goal of big data security analytics. You’re looking for behavior based signs of malintent. So, the more data you can ingest to get to a decision, the better.
How Much More?
How much behavioral data do you literally have to have before you know for certain a user’s behavior is criminal or simply anomalous? GREAT question! What’s your answer? Is there a specific amount of data, or a specific set of data that will absolutely distinguish between criminal and anomalous behavior?
Security analytics does not discriminate. It wants all your data. Machine learning models on the backend will filter out data that is not needed for specific behavior models, but when we’re trying to figure out what’s going on with a person or an entity, we want all behavior data. This includes Access Data (Login / Identity Information, Access Entitlements, Roles, Groups and Permissions), Resource Event Logs (Authentication, Authorization, Transaction Execution) and Activity Data (DLP, document repositories, other applications). Below is a non-exhaustive list of the types of data Gurucul’s behavior based security analytics platform ingests to uncover criminal behavior:
- User Data (HR or Customer): Job Title, Manager, Other peer group info, Performance rating
- Network Authentication Logs
- AD Event Logs
- Platform Security Logs
- VPN Event Logs
- Endpoint DLP Alerts
- DLP Gateway
- CMDB / Configuration Management DB
- Privileged Access Management Event Logs
- Application Event Logs
- File Server / Document Repository Activity Logs (SharePoint, OneDrive, Box, Documentum, Source Code Control)
- SIEM / Log Aggregation
- Network / Packet NetFlow
- Cloud Infrastructure
- IDM Integration
- Physical Building Access / Physical Security Logs
- Unix LDAP Groups
- AD / Windows Groups
- Application Roles, Groups, Entitlements
- Segregation of Duties Rules
- Data Owner Context
- Resource Classification
Once we have the data, we apply machine learning models to extract intelligence for specific behavior patterns. For predicting insider threats, for example, we have a vast number of behavior models that look for anomalous behavior typical of malicious insiders. Access, activity and resource data is ingested in real-time into our enterprise risk engine which sits on a big data lake. Behavior based security analytics models are applied against all that data to generate 360 degree views of users and entities. This is how we can quickly identify not only anomalous behavior, but risky or criminal behavior. You need all the diverse data points to paint the broader picture. That’s when you catch bad behavior. And, it’s easy to spot with the right data sources and the most mature machine learning models. Contact us for details. This is our special sauce and what we do better than anyone else at scale. The bigger, the better when it comes to security analytics!