Identity & Access Management, GRC, SIEM: Tackling Identity Risk as One

Jul 12, 2018 | by Dave Taku

In the late 1700s, the first Industrial Revolution forever changed the course of human history. The steam engine, machine-powered automation and the factory system made the manufacture and availability of goods ubiquitous. Today, we are in the midst of the next great industrial revolution as the power of cloud, mobility and machine-based analytics makes the goods of the 21st century—information—available to anybody at any time, and from anywhere. This digital transformation changes the way we work, the way we live and the way we interact with one another. Businesses that do not embrace this change will quickly find themselves going the way of the horse-and-buggy.

This transformation comes with a cost. Digital transformation introduces digital risk, with identity risk being one of the most significant. 81 percent of web-based attacks use stolen credentials. In 2017 alone, this equated to more than 164 million compromised user accounts, along with untold billions of dollars in damages from intellectual property theft, regulatory fines and reputational damage. Identity risk has become a board-level conversation and can no longer remain the sole responsibility of the identity and access management team. Understanding and mitigating this risk requires a continuous and pervasive fabric of identity analytics and insights connecting the disciplines of identity and access management (IAM), security information and event management (SIEM), and governance, risk and compliance (GRC) to answer the “Four Ws” of identity risk (in the spirit of journalism’s classic “Five Ws” of information).

The role of identity and access management systems has traditionally been to help answer the first two “W” questions: WHO is the user making the request, and WHAT should that user be allowed access to? Answering these questions is more difficult than it may seem. According to data from the RSA Anti-Fraud Command Center, new phishing attacks are launched, on average, every 30 seconds. Given that, can you really trust that a user is who they claim to be—even when they’re presenting a valid credential? And with user identity often scattered across hundreds of independent accounts on-premises and in the cloud, savvy attackers quickly find entitlement blind spots in the form of orphaned accounts, excess privilege and segregation of duties (SoD) violations.

Modern techniques in risk analytics can help isolate and surface potential blind spots while behavioral analysis and machine learning can help support, in real time, the user’s identity claim. Is the user authenticating from a known location or a trusted device? Are they exhibiting any abnormal patterns of behavior? Are they accessing from a location, device or IP address that is considered high-risk or that can be associated with known fraudulent attempts? Even with these advanced techniques, though, we are only solving half of the puzzle.

While identity and access management focuses on letting the good guys in (with as little friction as possible), the role of SIEM systems is to detect the bad guys that get past this first layer of control. Today’s modern SIEM has evolved beyond forensic analysis of network packets and application logs to look at HOW users are behaving with the access they are given. These insights are critical, not only to identify potentially compromised accounts, but also to detect insider threats from legitimate authorized users. Identity and access management must work together with the SIEM in a closed loop to prevent, detect and respond to identity-related threats. First, identity and access management assists the forensic investigation by informing the SIEM of suspicious or risky access behavior. In return, the SIEM should notify the identity and access management system of user accounts or credentials suspected of compromise. This “no-fly list” can then be used to inform real-time decisions to block a user, quarantine access or require stronger forms of authentication.

Even with the right security controls in place, explaining to the business WHY they should care about identity risk is still a challenge. GRC solutions can bridge this gap when they work directly with identity and access management controls. The role of GRC is to assess and quantify the likelihood and financial impact of business risk, whether due to a failed audit, loss of service or a security breach. GRC systems also understand which applications and systems are most critical to the operation of a business. When assessing the potential risk of an excess privilege or an orphaned account, or when making decisions about authentication requirements, it is vital to prioritize applications most critical to the business. It is also imperative that identity and access management systems are able to report identity risks—both potential and realized—to GRC systems.

Managing identity risk is a cat-and-mouse game—let the good guys in while keeping the bad guys out. As your organization embarks on its own digital transformation, the stakes only get higher, and your identity team can no longer do it alone. Identity and access management, SIEM and GRC solutions must work together. Each of these three disciplines holds a key piece of the identity puzzle. Only by sharing insights across them can organizations truly understand and manage identity risk.

# # #

Want to learn more about how identity and access management can work together with other systems? This webcast on integrating identity and SIEM systems is a good place to start.

Author: Dave Taku

Category: RSA Fundamentals, Blog Post

Keywords: Digital Risk, Identity & Access Management, Identity Management, GRC, SIEM