Ask any CISO about the jobs they must get right and they’ll broadly talk about two: keeping the bad guys out – the responsibility of the Security Operations Center (SOC), and letting the good guys in - the responsibility of the Identity and Access Management (IAM) team. For years, I’ve believed that these two jobs aren’t different processes, but really are two sides of the same coin tied together by identity. You see, almost every breach consists of the takeover of user credentials so that hackers can gain easy access to critical resources.
Therefore, both the SOC and IAM team each have a critical role to play in thwarting a breach. The SOC must be able to detect suspicious user activity and stop the hackers before they steal critical information. The job of the IAM team is to prove that users are who they claim to be and deny access if they’re acting suspiciously. Therefore, with the right insights into identity, the SOC and IAM teams become heroes in protecting the enterprise. As part of RSA’s product vision, we believe the way to connect the SOC and IAM disciplines is with User & Entity Behavioral Analytics (UEBA) – a capability that benefits both functions by baselining user behavior and providing insight when anomalies occur.
Based on these concepts, today marks a very important day for our customers, as we accelerate the execution of the RSA® Business-Driven Security™ strategy. With the acquisition of Fortscale, we introduce a capability that enables the SOC to spot suspicious user activity, and will provide the IAM team with the necessary intelligence to make more informed decisions around authentication and access. Let’s take a quick refresher on the importance of identity to both the SOC and IAM teams, and our point of view of how Fortscale’s UEBA will accelerate the execution of RSA’s product strategy.
The Role of Identity in Keeping the Bad Guys Out
When focusing on protecting the digital enterprise from cyber attacks, there are three critical capabilities every enterprise needs:
- Prevention – to stop the bad guys from getting in
- Detection – to spot the bad guys once they do get in (and they will if they’re determined)
- Response – to take appropriate actions when you find them
While there’s a lot we can talk about in each of these areas, let’s focus on the Detection and Response stages. These are the most critical stages. Why? No matter what organizations do to prevent compromises from occurring, in the digital enterprise their information is everywhere (public clouds, private clouds, on end user computing devices) making prevention important - to limit the attack surface area – yet impossible to truly achieve as there are so many points of ingress and egress. Organizations need to have robust detection capabilities to spot the hackers before they steal critical information. To do so, organizations need visibility into a variety of data sources – including endpoints, infrastructure, applications, users, cloud workloads, and so on.
The 2017 Verizon Data Breach Report reported that 80% of hacking-related breaches leveraged weak, stolen or compromised credentials. What better way to breach a network? Just masquerade as a legitimate user! It follows that if the SOC can spot suspicious users, they can thwart attacks and minimize the dwell time when hackers exfiltrate sensitive information. In order to detect user-based attacks, enterprises need a system capable of establishing a known baseline of identity characteristics over time, and then locate anomalies. This is one of many factors enabling User and Entity Behavioral Analytics capabilities the SOC needs, and doing it well enables a resilient analytics model such that if hackers can avoid detection by one set of analytics they’ll be detected by others. Once the SOC has detected some clue that bad activities are ongoing, they can drive a set of response activities such as compromise scoping, workflow orchestration, or automation controls to block the attack.
One of the important response activities driven by a modern SOC is adapting controls to block attacks. However, the challenge here is around false positives – activities that look suspicious, but are actually legitimate. If the SOC inadvertently blocks legitimate traffic or stops the actions of a legitimate user, they’re actually hindering business instead of helping. That’s where RSA’s capabilities really shine. Imagine if the SOC’s UEBA capabilities spot a suspicious user, and trigger the Authentication and Access systems to prove that the user really is legitimate – without hindering business. This would enable the SOC to be a force multiplier for the IAM team.
Making Authentication and Access Invisible with User Behavior
Just as in the role of keeping the bad guys out, there are three critical areas to ensure the good guys can get access to the resources they need both conveniently and securely in the digital enterprise:
- Identity Governance – to understand who has access to what and manage exceptions
- Identity Management – to manage employee access through their career
- Authentication & Access – to prove that users are who they claim to be
For now, I will focus specifically on capabilities of Authentication & Access – what I think of as the “control plane” of Identity. When a user tries to access corporate resources, the authentication system needs to make a lightning fast decision of whether or not the user is who they claim to be. For many, many years that’s been done through the use of a username and password. If you step back and think about that, it’s a bit crazy that despite all of the technological advances in computing resources, most enterprises still use such a simplistic form of authentication and access for their most sensitive information.
At RSA, we’ve been providing the world a couple of alternatives to passwords for many years as well – Two Factor Authentication (2FA) and Risk Based Authentication (RBA). 2FA uses something you have (your token or phone) and something you know (your PIN number) to provide “strong” authentication under the premise that it would be really unlikely for a hacker to have your token and know your PIN! We’ve also provided RBA through our Adaptive Authentication offerings to understand various factors of the user transaction (device, geolocation, etc.) to verify that the user transaction is valid.
While these capabilities are really robust, security is most effective when it becomes invisible to the user – providing them all of the convenience to accomplish their work, while keeping them (and the enterprise) silently secure along the way. To accomplish the goal of “invisible” user authentication and access, you need not just two, but many factors to prove the user is who they claim to be. That means establishing a baseline of the user’s device, typical locations that they work from, their typical behavior, and determining if how they are acting is typical or anomalous. If typical – they continue operating normally. If there’s an anomaly, it’s critical to prove that it really is them. The best way to accomplish this is with a step-up authentication – such as TouchID.
So how does UEBA benefit the IAM team? Any suspicious user activity that the SOC detects becomes another set of insights to help the RSA SecurID® Access risk engine determine the right level of assurance to prove that the user is legit. If the RSA NetWitness® Platform can either trigger a workflow – or even better, an automated feed – that provides input to RSA SecurID Access, we can enable the SOC and IAM team’s day to day activities to help each other. This is a big step towards making authentication and access more invisible – and more secure.
UEBA: Bringing it All Together
What should now be clear is one of the critical capabilities required for both keeping the bad guys out and letting the good guys in is UEBA. As part of an evolved SIEM, UEBA capabilities enable the intelligent SOC to detect anomalous user activity indicative of compromised credentials or an insider threat. Detecting these types of events can drive the incident management and remediation process to spot a hacker campaign playing out in an enterprise. The same UEBA capabilities can also be a factor in helping the IAM team provide the right level of assurance that a user is who they claim to be. In this way, UEBA is the bridge tying the SOC and IAM teams together – enabling both sets of capabilities to be that much more effective.
Enabling the SOC and IAM process and technologies to work together is a strategy RSA has been driving as part of our Business-Driven Security strategy. The acquisition of Fortscale enables RSA to accelerate delivery of that strategy, giving our customers the benefits of innovative and integrated technologies to combat digital risk.
Author: Grant Geyer, SVP, Products
Category: RSA Point of View, Blog Post
Keywords: Fortscale, IAM, RSA SecurID Access, SIEM, SOC, UEBA