A look back at the Top 5 breaches of 2013 found attackers fine tuning their methods to bypass traditional security controls. At Target, we saw attackers overcome strong perimeter defences to install malware on POS systems. We also saw the local crowdsourcing website Kickstarter have its customer details stolen and the misuse of privileged user access rights by a defence contractor who was able to leak details of the NSA’s PRISM program.
The common thread among all of these breaches was that the victim organisations were unable to rapidly detect and respond to threats resulting from abnormal or inappropriate activity by internal users acting within their IT infrastructures.
Traditional security approaches are failing to defend against the newer generation of cyber-attacks. They rely too heavily on perimeter-based defences and on security tools that are deployed as point solutions afterwards. With a perimeter that is larger and more porous than ever before, there are many more opportunities to breach defences.
And as the IT infrastructure expands and more security tools are added, even more security event “noise” is generated, often without a strategic imperative. Stretched security teams are left with mountains of data to analyse and make sense of. In the “noise”, the activities of internal users are often lost and it’s easy to lose track of what is normal user behaviour. When security teams are unable to gain insight into activities and events that may signal a threat because of weak or missing security analysis, a security intelligence gap exists.
Bridging the security intelligence gap with “identity context”
The solution to this problem is an integrated approach to security that incorporates additional context about users and events into security monitoring solutions.
When defending against the inside threat, identity is a key source of context for understanding what is normal behaviour for users within an organisation. Integrating the “identity context” of events and users with privileged user management and monitoring tools can help security teams answer key questions such as: Who is accessing our sensitive data? Is this normal behaviour for the individual? Is this activity authorised? Is this a threat? When security teams are provided security data that is enriched with “identity context” from across the organisation, they’re able to cut through the “noise” of activity and quickly identify whether user activity poses a threat – and take immediate action if it does.
Control and monitor privileged users
Focusing protection around the data that matters, and on the users that regularly interact with this data, is a security best practice that helps you to prevent insider attacks and limit the damages from an attack once they occur. This must be done throughout the entire user lifecycle and for service providers and contractors as much as possible. A good privileged user management and monitoring solution can help you reduce the privileged user attack surface.
- Reduce the number of priveleged users - Many organisations end up with too many employees who have access to critical data that is not necessary to performing their job functions.
- Enforce a "least-priveleges" policy - Assign the lowest level of user rights to a user while still enabling the user to do his or her job. This helps to reduce the risk associated from accidents from well-intentioned employees or from malicious outsiders targeting and gaining access to a privileged account with broad access rights.
- Monitor the activities of privileged users - Make sure that changes and access to sensitive information is authorised. Security teams should be alerted in real-time of suspicious activity so that prompt action can be taken. Rich security information about the activity that details the “who, what, when and where” of an activity should provide the context teams need to take prompt action.
Integrate “identity context”
Whether it’s applications, mobile devices or the cloud, as more data becomes available through these platforms with more users accessing this data even faster, tying identities and uniform access policies together and integrating this identity intelligence into security monitoring tools (such as privileged user management and monitoring tools) will become the preferred way to reduce the risk of insider attack.
The process of integrating identity intelligence with security solutions is called identity integration. This process gives you the ability to understand who the individual really is given that individuals will have many different accounts, and access many different services, both internally and externally. You can use the security intelligence that ensues from this process to decide if the user activity is potentially risky, unusual, or business-appropriate.
Integrated identity intelligence provides “identity context” about user activities to security monitoring tools, and answers key questions to enable decision-making, such as: What applications has this user been using? Or is the user activity unusual? The ability to identify when user activity is unusual or outside normal business practices will help you reduce the risk of an external attacker posing as an insider, which is the way many Advanced Persistent Threats (APTs) work. It is equally helpful at reducing the risk of an insider maliciously or accidentally exposing your organisation to a breach or service interruption.
Keep it rolling
The final step in the process is to implement a lifecycle approach to maintaining the security and compliance processes that you put in place to defend against the inside attack. We recommend the use of scheduled and automated compliance assessments and reporting to keep these security processes and controls in place. By implementing more business-appropriate access controls and tightly integrating identities into security monitoring, the organisation can respond to an attack quickly with the necessary information to limit or prevent a significant and damaging breach from occurring. When security data is enriched with “identity context”, it is transformed into truly actionable security intelligence that teams can use to disrupt an attack and speed incident response before damage is done.
Renee Bradshaw is solution strategist at NetIQ