Identifying security gaps is a favorite pastime of security professionals. We lovingly spend time performing risk assessments, drafting and administering policies, implementing defensive technologies, and generally trying to figure out the angle of future attacks.
As much fun as that is, in many cases, we’re missing the obvious. People are our security problem.
The people problem
Security teams that focus on “what” is happening, and the layers of defense being breached, are constantly in reactive mode. Reviewing reams of data produced by technology – firewalls, network devices or servers – is not making organizations more secure. With this approach, the team fails to prevent breaches or respond in a sufficiently timely way. Instead, the addition of more data and more complexity perversely prevents achieving the end result: protecting sensitive information.
The significant breaches of today are executed by people infiltrating the organization, and attackers are doing this by assuming identities or abusing insider privileges.
There is a gap between the firewall (as the initial line of defense) and the data-centric analysis and alerts received by the security team (the organization’s last line of defense). Tracking user activity, especially connections between suspicious behaviors and privileged users, would allow organizations to close this gap.
Knowledge and understanding of identity has the ability to cut through the overwhelming event noise and explosion of data that continues by all accounts to render security organizations blind and unable to respond to real threats or even detect if they are under attack.
It is time to incorporate identity into the organization’s overall security and, more specifically, breach prevention strategy. We have to stop accepting a gap approach to security, which is usually focused on data and devices rather than people. In light of the nascent perimeter-less world, identity will increasingly be the primary factor that matters to the security team.
Identity data is pervasive, yet typically absent from the security world view. For security organizations, our corporate identity – the personal identity elements we bring to our corporate environment – and our behavior, are aggregate details essential in building a picture of what is happening within – and beyond – the corporate perimeter, offering deep context to inform the security team on the appropriate response to potential threats and real attacks.
The critical piece in this approach is the security organization’s ability and capacity to understand the full scope of identity – who the person really is behind any given device, and whether they are behaving abnormally. This is particularly helpful when identifying attackers that have managed to acquire privileged user credentials.
Yet, this raises a fundamental, but non-trivial challenge. How can you know what is normal behavior, particularly at large scale?
Identifying normal behavior
One way to reduce the scope is to focus on the highest risk identities first. If you accept that the greatest risk comes from people inside your organization that can access sensitive information – privileged users – including non-human accounts that may be privileged, then the correct steps are as follows:
1) Reduce the number of privileged users/identities and accounts.
2) Limit the privileges any one user has, to systems and applications necessary to do their job.
3) Integrate the identities of privileged users into security and risk monitoring to spot behavior that may indicate a breach.
The first two steps are really classic identity and access management, although many organizations still struggle with these basics. The easy example is the industry’s current favorite punching bag, the NSA.
For the third step, Martin Kuppinger, founder and a principal at global analyst firm KuppingerCole, writes on his blog, “Users might access far more documents than average than they did before. Accounts might be used at unusual times. Users might log in from suspicious locations. Sometimes, it is not a single incident, but a combination of things, eventually over a longer period of time, which is typical for a specific form of attack, especially in the case of long-running APTs (Advanced Persistent Threats).” These are the symptoms of abnormal behavior, and Mr. Kuppinger suggests a look at the discipline of Real-time Security Intelligence as an approach to identify such behavior. This is the step that is most critical for today’s security programs because it focuses on the end user – the area in which the greatest risk lies.
Closing the gap
As more and more of the computing environment moves outside of the control of central IT organizations, led by the move towards BYOD, the necessity to recognize who a user actually is, and what is normal for them becomes a foundational part of effective security monitoring.
Without such identity-powered security, we can anticipate security teams continuing to struggle to differentiate whether the events they are monitoring are worth a reaction – providing enough hesitation for attackers to execute more and more damaging data breaches. Further, security teams will continue to operate in reactive mode and perpetuate the failure to prevent breaches or respond in a sufficiently timely way.
If identity is a central component to security management, then security teams will be in a better position to understand the behavior of users, and will spend far less time trying to identify the meaning behind the events they are seeing. People will continue to be our biggest point of exposure, and with a keen focus on user behavior and activity, we’ll be in a much better position to limit the impact of breaches than we are today.