Six Keys to Successful Identity Assurance Strategy: Anomaly Detection

Apr 10, 2017 | by Jason Oeltjen

6-step-833x388

In granting access to users, understanding their behavior goes a long way towards providing frictionless security. As part of our blog series, Six Keys to a Successful Identity Assurance Strategy, we continue to explore going beyond simple two-factor (2FA) or multi-factor authentication (MFA) to create a successful identity assurance strategy for your organization. Previously, we discussed the fundamentals of using business context as part of an effective authentication strategy.

While the attributes and static rules that give us business context provide some ability to assure the right authentication requirements for each situation, watching behavior to see what is normal and what is not can unleash broader capabilities to both improve user experience and security. This is why anomaly detection is the next key to crafting a successful identity assurance strategy.

Identifying Abnormal Access Requests

Let's start by taking a look at what makes an access request appear abnormal. There's a simple question we can ask to recognize abnormal: Is this access request unlikely to be legitimate? Answering this question can require information from multiple sources. However, your multi-factor authentication solution should have capabilities to perform a basic level of anomaly detection. Let's take a look at some examples of these capabilities.

  1. Isolate bad IP addresses. When known bad IP addresses are used in access attempts, they should simply be blocked.
  2. Recognize velocity anomalies. When a user's location is known, a correlation can be made between this access request and other recent requests. For example, is it possible for a user to login from Colorado and 10 minutes later login from Moscow? No? We'd better get more proof the user is who they claim to be or maybe just deny that access request.
  3. Flag locations as untrusted. If a geo-location for an access request is coming from somewhere where no one has business getting access, again these requests should be denied. It's also possible that we simply want to require additional authentication for a location, such as an access request from a specific country where it's uncommon we would need access.

For capabilities such as these that are built into the identity system, we should expect that policies leverage this information to properly deny access or require additional authentication when recognized. We will discuss utilizing other tools to build even further intelligence into recognizing abnormal behavior in a future blog in this series where we focus on getting information from a broader set of systems.

Recognizing Normal through Patterns

In addition to recognizing abnormal behavior, we need to look at the inverse. We must understand normal behavior and how that can impact identity assurance of a user. It all starts with the context attributes we discussed earlier but, in this case, we don't pre-determine what we trust through static rules. We look at the user and attributes such as their device, location, network, time of day, and access patterns. For each of these, we determine if we've seen a common pattern of successful authentication attempts where these attributes are consistent. When we can recognize enough consistency, we can gain some assurance of who this user is without interactive authentication. By using many of the same attributes as we use in business context, looking for patterns instead of static rules, we can start to create intelligence in our identity and access management system.

Putting It All Together

Anomaly detection starts with recognizing situations that could heighten the risk an access request is legitimate. By having the right tools to take appropriate action on this abnormal activity, you build on the business context of an identity assurance strategy.

I include normal behavior in this topic as it makes sense to talk about the abnormal behavior seen with isolating anomalies with recognizing normal patterns. Identifying normal patterns leads into our next blog topic, which is machine learning. The data science behind machine learning becomes important in recognizing normal behavior and can also be leveraged for abnormal behavior. We'll explore that more in the next blog. In the meantime, download this white paper to learn more about identity assurance.

Tags: Jason Oeltjen, RSA Fundamentals, Abnormal Access, Anomaly Detection, Key Elements, RSA SecurID, Strategy