[BreachExchange] Avoiding the trap of data breach fatigue using identity analytics
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Aug 14 20:26:32 EDT 2017
https://www.scmagazineuk.com/avoiding-the-trap-of-data-
breach-fatigue-using-identity-analytics/article/677553/
It seems that every day there's a new breach in the news – ransomware,
identity theft, nation/state-sponsored cyber-terrorism, and the good old
standbys of phishing and zero day attacks. Businesses need to face a new
reality where they are under constant attack from cyber-criminals. With
the “data breach of day” headlines constantly hitting the media, it's easy
for companies to get sucked into the data breach fatigue vortex and to bury
their heads in the sand.
No one is immune and it's generally been accepted that it will happen
eventually, so the attitude has shifted from “will I get attacked; what can
I do to prevent it?” to “I've already been attacked; how can I minimise the
damage?”
Of course, there are steps businesses can take to protect themselves
ranging from next-generation firewalls, antivirus, staying up to date on
patches to encryption and intrusion detection. While these all provide a
necessary first-line of defence, but what happens after the bad guys
inevitably find a way around these or a malicious or careless insider is
the source of a breach?
Looking at most major breaches, there are some common themes. Generally,
the bad guys come in through the front door, let in by an unsuspecting or
naïve user. These bad actors are patient and work hard to cover their
tracks and escalate privileges within the breached enterprise until they
obtain sufficient rights to get to the data that is their real target.
Then, as a seemingly legitimate user with seemingly legitimate permissions,
the systems gladly grant access. And then you are in trouble – the digital
fox is in the henhouse.
The disciplines of identity and access management (IAM) can go a long way
to ensuring that when the bad guys do get in (and they will), there's
nothing for them to do and achieving their nefarious objectives is simply
not worth the effort. There are several key IAM practices that can minimise
risk without negatively impacting the way your users go about their jobs.
Effective, business-driven provisioning and de-provisioning – make sure
that those attributes that define which users can access what are
established by the line-of-business (not IT) and that they are applicable
across the entire enterprise.
Remember that nothing presents greater risk than a siloed approach to role
or group management where the processes you put in place for one system are
independent of every other system. And a “close is good enough” attitude is
never alright when it comes to user access.
Adaptive, risk-based authentication – rather than implement access control
in a heavy-handed, generalised manner that inevitably leads to disgruntled
users who will look for every chance to skirt security policy, implement a
contextual approach that can adjust enforcement relative to the risk of the
request.
For example, an on-premise user has access to systems and data that he
always uses to do his job is given transparent access to the systems he
needs during business hours. However, if the same user is working remotely,
after hours, exhibiting less-common behaviours, perhaps he is asked for an
extra level of assurance via a multi-factor authentication challenge, for
instance.
Privileged access management – the holy grail of any bad actor is the
privileged accounts associated with every system. If they can escalate
permissions to be granted access to these all-powerful and anonymous
accounts, all bets are off. Simply eliminating the sharing of
administrative credentials – locking them away in an automated password
vault – and auditing activities performed with them will dramatically
increase security and shrink the risk surface.
Identity analytics – while behaviuoral analytics helps determine why
something bad happened and prevent future incidents, identity analytics
provides insight into potential risk before anything bad can happen.
Identity analytics looks at the entitlements, rights, and permissions
granted to users and notifies of anomalies and areas of risk. Identity
analytics will find the inappropriate escalation activities, users whose
permissions are out of line with peers both within and outside of the
organisation, and excessive rights that may be relics of incomplete
de-provisioning or temporary elevation activities.
None of us can afford to ignore the risks, the constantly changing attack
landscape, and the persistent behaviours that make some organisations an
easy target. However, with effective IAM, they can limit damage, reduce
risk, and dramatically increase the chances for defensive success.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170814/bbe79316/attachment.html>
More information about the BreachExchange
mailing list