While most enterprise organizations have SIEM installed, they now realize that these venerable security systems cannot address today's dangerous threat landscape alone. As a result, many are adding network forensics and big data analytics systems for capturing, processing, and analyzing a whole bunch of additional security data.
In the majority of cases, big data security analytics systems are applied to data such as network packets, packet Meta data, emails, and transaction systems to help security teams detect malware, phishing sites, and on-line fraud. Great start, but I'm starting to see another burgeoning focus area - IAM. Of course, many large organizations have IAM tools for user provisioning, SSO, and identity governance, but tracking all the instantiations of user activity remains elusive. In a recent ESG research survey, security professionals were asked to identify their weakest area of security monitoring. More than one-quarter (28%) pointed to, "user behavior activity monitoring/visibility," - the highest percentage of all categories.
The obvious use-case for IAM analytics is linking network/device activities with actual users. This is especially helpful in security investigations. Aside from incident detection/response, many firms are also turning to big data security analytics to improve risk management associated with day-to-day IAM activities. Why? Software tools are great at automating and scaling processes but IAM is fraught with complex workflow, multiple identity repositories, and multiple accounts per user. Given all of the moving parts, even tightly-managed organizations regularly discover orphaned accounts, inappropriate entitlements, and unknown privileged users. Additionally, IAM workflow can devolve into a check-box exercise rather than a thorough review of who should have access to which systems.
Historically, these issues were addressed with periodic audits, disparate reports, and manual processes - an inefficient IAM cocktail at best. IAM big data security analytics can help address these issues by helping enterprises:
1. Clean up the access list. Armed with the right analytics tools, CISOs and IAM managers can quickly identify rogue accounts or users who haven't accessed applications for a prolonged period. Once discovered these accounts can be deleted quickly.
2. Establish and manage separation of duties (SODs). While business managers are responsible for establishing separation of duties rules, few actually do. IT and security teams rarely fill this gap as they may not have the business process knowledge for policy creation or enforcement. IAM security analytics can be used to help business managers view business process relationships and find potential conflicts of interest related to compliance and risk. This can help them establish and manage SODs moving forward.
3. Manage privileged users. This can be extremely difficult as software like Oracle databases has a multitude of privileged accounts that can't be turned off. Furthermore, there are potpourri of privileged accounts used by application, network, storage, and systems administrators on a daily basis. IAM managers can use analytics to get their arms around the enormous number of privileged accounts and create rules that trigger security alerts when anomalous behavior is detected.
Many security tools tie into Active Directory, but the best big data security analytics will more likely come directly from IAM vendors like CA, Courion, IBM, and Sailpoint. As an example, Courion introduced its Access Insight product last year and has had great success thus far. One Courion user from the health care industry stated that with new regulations like the Affordable Care Act, he cannot buy anything that doesn't offer immediate ROI. Courion Access Insight was one of few tools that passed this strict requirement as it helped him automate and improve numerous manual IAM tasks.
Big data security analytics can certainly help improve incident detection/response in the future but many large organizations are already using these analytics tools to streamline processes and improve IAM oversight efficiency. From a security perspective, this can help enterprises reduce their overall attack surface and lower IT risk.