April Newsletter 2019
Quote of the Month
“More cowbell, baby!“
– Chuck Fontana, VP, Corporate & Business Development at Okta
Earlier this month we sponsored Oktane19, Okta’s annual user conference. If you’ve never attended, it’s one of the more compelling conferences because they put on an excellent show. They have celebrated speakers, a well-organized exhibit hall, product training sessions and high end entertainment. We were happy to be there to showcase our security analytics integration with Okta.
Risk Based Authentication
Our integration with Okta facilitates risk based authentication. This was a big theme at Oktane19, and something Gurucul has been offering for years. We calculate a real-time risk score based on user outlier behavior percentage, resident user risk and reputation, and data or transaction risk classification. We pass this score to Okta, which can then be used to make real-time authentication and access decisions, while simplifying the user experience and enhancing security.
For example, if a user with a low-risk reputation initiates an application session from a usual location with a known device, the run-time risk score would be low risk. As a trusted user, access would be granted without requiring a password. If the same user then begins accessing unusual information or conducting anomalous transactions (i.e., foreign funds transfer to several accounts not seen before), these are abnormal behaviors for the user. The real-time risk score would increase, potentially to high risk, which would require multi-factor authentication or the account might be suspended. If the user is medium risk, the application could actively limit available functionality and data.
It Takes a Village, or Rather a Symphony
At one of the keynotes, Chuck Fontana, VP Corporate & Business Development, equated running the Okta Integration Network with conducting a symphony. Specifically, he was talking about the launch of the new Apps for Good program within the Okta for Good campaign. Apps for Good are pre-built, easily-configured integrations that make it easier than ever for companies and employees to donate time, money, expertise, and more.
It’s a wonderful program. Chuck’s pitch was that we could do more good with more people taking more action. And, the Apps for Good program makes it easy for Otka customers, employees and partners to take giving action. That’s when he said, you know what we really need? “More cowbell, baby!” He was referring to the need for everyone in the audience to chime in and take action. His Okta Integration Network needs more cowbell for Apps for Good. That got us thinking…
Sometimes, More is Better
We’ve all heard the saying, “Less is more.” This is appropriate in many circumstances. Less talking during a movie is better. Less words in a sentence is optimal. Definitely less stress in a work day is essential. And, less dialogue in an action movie is better.
When it comes to data about users and entities, however, more is infinitely better. When you’re trying to establish whether a person or entity is behaving badly, the more data you have about what users and entities are doing, when, where and with what entitlements, the more successful you will be at deciphering bad behavior from anomalous behavior. And, that is the goal of big data security analytics. You’re looking for behavior based signs of malintent. So, the more data you can ingest to get to a decision, the better.
How Much More?
How much behavioral data do you literally have to have before you know for certain a user’s behavior is criminal or simply anomalous? GREAT question! What’s your answer? Is there a specific amount of data, or a specific set of data that will absolutely distinguish between criminal and anomalous behavior?
Security analytics does not discriminate. It wants all your data. Machine learning models on the backend will filter out data that is not needed for specific behavior models, but when we’re trying to figure out what’s going on with a person or an entity, we want all behavior data. This includes Access Data (Login / Identity Information, Access Entitlements, Roles, Groups and Permissions), Resource Event Logs (Authentication, Authorization, Transaction Execution) and Activity Data (DLP, document repositories, other applications). Below is a non-exhaustive list of the types of data Gurucul’s behavior based security analytics platform ingests to uncover criminal behavior:
Once we have the data, we apply machine learning models to extract intelligence for specific behavior patterns. For predicting insider threats, for example, we have a vast number of behavior models that look for anomalous behavior typical of malicious insiders. Access, activity and resource data is ingested in real-time into our enterprise risk engine which sits on a big data lake. Behavior analytics is applied against all that data to generate 360 degree views of users and entities. This is how we can quickly identify not only anomalous behavior, but risky or criminal behavior.
You need all the diverse data points to paint the broader picture. That’s when you catch bad behavior. And, it’s easy to spot with the right data sources and the most mature machine learning models. Contact us for details. This is our special sauce and what we do better than anyone else at scale. The bigger, the better when it comes to security analytics!
Nearly 75% of RSA Attendees Surveyed Said They Are Vulnerable to Insider Threats
|ABCs of UEBA: E is for Entity. The “E” in UEBA stands for “Entity” – User and Entity Behavior Analytics. Traditional entities include servers, desktops, laptops, tablets, printers, routers and mobile phones. However, with the onslaught of Internet of Things (IoT) devices, there are a whole lot of new entities to be monitored with UEBA. What do we mean by Entity Behavior Analytics? Read on… Read More.|
|Insider Threat Survey Report: RSA 2019. At the 2019 RSA Conference, Gurucul conducted an Insider Threat Survey. We wanted to get a sense for just how prevalent the Insider Threat is in the minds of the practitioners. 671 international IT professionals responded, which is incredible! The Gurucul Insider Threat Survey Report contains the survey questions and results.Read More.|
|Look at Risk as More of a Compass Than a Watch. We had a great week at RSAC 2019, and a highlight of the week was a well-attended CISO roundtable moderated by the original CISO, Steve Katz. At some point during the conversation, Steve made the comment, “Look at risk as more of a compass than a watch.” A wise observation. Do you know where you’re headed as you map out your risk mitigation strategy? Read More.|
|A Security Evolution: Taking Security Beyond SIEM with Gurucul Security Analytics. If you came by our booth at RSA Conference 2019, you probably sat down for a short presentation exploring Gurucul’s behavior-based security analytics and how it differs from a SIEM. Read our blog to learn how Gurucul is leading an evolution from black box analytics to machine learning and risk scores! Read More.|
Health-ISAC 2019 Spring Summit. May 13-17, 2019. Ponte Vedra Beach, FL. Gurucul will have a panel of healthcare customers presenting at this year’s Summit on “Behavior Based Security Analytics Best Practices”. Join us!
Infosecurity Europe. June 4-6, 2019. London. Join Gurucul in the US Pavilion in booth #140. We will be showcasing our Behavior Based Security Analytics platform.
Gartner Security & Risk Management Summit. June 17-20, 2019. National Harbor, MD. This is the year’s most valuable information update and networking opportunity for CISOs and security, risk and resilience professionals.