Ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you’re likely to get some confused looks. Here’s why.
darkreading| June 27, 2016
Account compromise and misuse have emerged as the root cause of most of today’s data breaches. Using basic phishing and social engineering techniques, attackers can easily acquire the credentials they need to hijack identities and walk undetected through the digital front door of a victim organization. To make matters worse, hybrid environments that span both on-premises and cloud apps create a significant blind spot that makes it even more difficult to detect account compromise threats.
One of the reasons for that is because “identity” is a plane with two sides. One side is loaded with access risks created by legacy identity management rules and processes. The other side is a threat plane open to compromise, data exfiltration, and malicious insiders.
Access risks result from excess accounts, privileges, group and role volume proliferation, orphan accounts, dormant accounts, and shared high privilege access accounts. Their sheer numbers make them virtually impossible to manage using manual processes and legacy identity management rules. Providing access for revolving employees, contractors, partners, and even customers, just makes matters worse.
Identity-based threats including malicious insiders, account compromise or hijacking, access abuse, cyber fraud, and data exfiltration are difficult to detect with declarative defenses, human analysis, or traditional software. Time-to-infection is often measured in minutes, while dwell time (before detection) can be weeks or months.
Needed: A Holistic Approach
Since both sides of the identity plane are linked, a holistic approach is required to eliminate the security blind spot between cloud and on-premises infrastructures. For example, it’s necessary to identify and eliminate excess access risks to reduce the identity attack surface area open to phishing and social attacks. Meanwhile, monitoring access and activity associated with legitimate identities will expose compromise and unknown threats.
However, ask most enterprise security analysts responsible for detection and response about their visibility into identity access risks and you are likely to get some confused looks. Identity access is often managed in a different part of the organization than security operations.
Let’s consider some examples to illustrate the scope of these challenges.
We’ll start with the access side of the identity plane. Let’s say a manager has 100 employees reporting to them. To keep things simple, we will assume each employee has 10 user accounts and each account has 10 privileges, which equals 10,000 entitlements. These could be on-premise and/or cloud accounts — and likely are. Every 90 days, for compliance purposes, the manager must review these entitlements, then approve or revoke those that are or aren’t necessary for each employee to perform their job functions. Meanwhile, some managers may have high privilege access accounts shared using a simple password.
On the threat side of the identity plane, IT security teams must monitor access and activity associated with “legitimate” accounts (both on-premises and cloud) for signs of anomalous behavior by insiders or account hijacking by external attackers. This is difficult to accomplish, since most of this activity looks “normal” at first blush.
User Accounts: The New Security Perimeter
In addition to these challenges, cloud and mobility continue to erode any last remnants of a traditional security perimeter. This leaves enterprises with a borderless environment to defend where identity provides the keys to the kingdom.
So how can enterprises eliminate this blind spot? While log event managers or SIEM products can monitor on-premises activity, they have very limited visibility into cloud apps. This functionality is provided by another solution, cloud access security brokers (or CASB). It’s important to note that an API-based CASB can provide visibility into enterprise-sanctioned cloud apps accessed via mobile devices without compromising ease of access for users. However, private or consumer data-sharing apps will require a forward or reverse proxy to detect this type of shadow IT activity.
Addressing the cloud and data center security gap requires a mix of data sources. Gathering on-premises and cloud app data access and activity can be achieved with log event management or SIEM plus CASB API or proxy solutions as data sources. Meanwhile, identity, account and privilege data can be extracted from identity access management platforms and directories.
Since the volume of access and activity outputs generated by employees, partners, and customers is beyond large and growing, a big data infrastructure is required to harness it. Making sense of these huge data volumes and analyzing the context to identify excess access risks and behavior anomalies is a data science challenge that the industry is addressing with machine learning.
Solving it is imperative to address the blind spots created between cloud and on-premise apps, now that user accounts have become the new security perimeter in a borderless environment