This is the second follow-up to my blog post from December 11th, The CSO’s 4 Key Takeaways from Gartner IAM 2017. For this post I drill into my perspectives on why modern cybersecurity programs must have a strong analytics component. Of course, I need to start by drifting philosophical again to ground the discussion.
Alongside my “zero trust” tennent I referred to in my previous post in this series, I also firmly hold that any effective security program must be built assuming that your defenses are already breached. The premise here is simple, if your adversary wants to gain access to your systems and data badly enough, they will get in. One of my favorite quotes on this topic comes from John Chambers at Cisco, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” In the end, all the fancy next-gen protective measures you implement will not keep a well-funded, determined adversary out. Of course you still need to deploy those protections, they are necessary, but not sufficient.
Another advantage you get from taking this “assume breach” mindset is that it should lead you to build detection measures which work effectively for the insider threat as well as the external threat. The “assume breach” mindset places a higher degree of emphasis on detecting malicious behavior/activity and responding well when an incident is discovered. I believe strongly this is one of the key elements of an effective cybersecurity program. And if you take the “zero trust” model I discussed previously and combine it with “assume breach” the ability to detect malicious activity using identity data becomes extremely important.
This need to detect malicious activity is one of the key reasons advanced analytics concepts like machine learning, neural networks, and deep learning are beginning to make as big an impact on security as they have other parts of the business, and we’re just getting started. Older methods of analyzing and correlating data simply aren’t working because they still generate too much noise and require too much human analysis, “alert fatigue” is as real today as it was in 2013 when it was cited as a contributing factor in the Target breach. We need to leverage these new ways of analyzing large, complex data sets so that we have a better chance of uncovering anomalous behavior which is indicative of malicious actions.
Identity-related data (who is using which devices to access what services/functions from where) is not only critical to analytics-based malicious activity detection, it’s also at the heart of other innovative uses we’re seeing for analytics within the security space:
Making Identity Governance & Administration (IGA) much more responsive and risk-based, helping organizations quickly assess which individuals have highly risky access permissions based on their roles across many different applications, which entitlements are less-risky so they can be automatically approved rather than manually reviewed, etc.
Helping Identity & Access Management (IAM) tools make better risk decisions throughout the full set of customer transactions taking into consideration a wide range of contextual and historical data to establish risk levels for AuthN/AuthZ transactions and comparing these to behavioral models.
Security leaders looking to leverage advanced identity-based analytics as a key part of their program need to understand how their identity vendors will enable (or hinder) their use of identity-related data. If your current identity platform makes it hard to get data into an analytics platform, or does not allow the integration of advanced analytics into AuthN/AuthZ decisions, you should take a look at alternatives like the ForgeRock Identity Platform that better support your overall cybersecurity needs.