By Saryu Nayyar
Enterprises are struggling to find secure ways to allow trusted users -- employees, customers, and partners -- access sensitive data from multiple entry points and devices across the country, or even the world. Traditional security models designed to protect only one entry point or a small number of points, are no longer viable.
Up until about ten years ago, the tried-and-tested security strategy of most enterprises was to have a hard outside shell and a soft inside, something like an exoskeleton. Security systems were based on protecting the data center, where mainframes and large servers housed mountains of data. Meanwhile, endpoint protection was implemented using many difficult to manage software agents on each system.
That security model has been shattered by three interconnected factors: the widespread use of multifunctional smartphones, the bring your own device (BYOD) phenomenon, and the relentless adoption of cloud computing. The cloud is now used for everything from backup, to applications, to hybrid computing solutions, to completely outsourced data centers.
Escalating Threats From the Outside
Most corporate information has moved beyond the network and the corporate firewall to the cloud. The cloud offers increased flexibility and productivity for users and enterprises, enabling organizations to scale computing resources up and down in minutes in response to business needs.
However, the cloud also created a massive gap for security and IT folks. Corporate data, applications, infrastructure, storage, and so on are no longer under the complete control of enterprises, as the cloud has created multiple points of vulnerability.
The traditional firewall is useless in the face of multiple threats from the cloud and other sources that it was never designed to repel in the first place. The border is gone. Data and computing resources are no longer safe inside the fortress, because there is no fortress. Most data and resources now reside in multiple locations outside the enterprise.
Escalating Threats from the Inside
Many enterprises can no longer effectively detect threats from the inside because their tools are not up to the task. Security information and event management (SIEM) solutions — which provide data normalization and correlation for centralized visibility, mainly for compliance and operations — typically lack threat hunting capabilities.
Intrusion detection systems and intrusion protection systems (IDS/IPS), as well as data loss prevention (DLP) solutions — all designed more for awareness, than protection — can pump tons of information and alerts into SIEMs. However, they cannot address the persistent and increasing risk of outsiders that have compromised accounts and malicious insiders.
Several years of escalating attacks have resulted in rules, signatures and patterns producing an alarming quantity of alerts, creating far too many futile false positives and fatigue among security staffers. Declarative defenses are being overwhelmed by well designed, dynamic and file-less attacks. New attack trends cannot be fingerprinted when they are analyzed, as many attack signatures are unique due to massive polymorphism.
Best Practices for Keeping Up with Modern Data Access Patterns
Some best practices include: focusing on identity and access, applying analytics, embracing machine learning, and simply being realistic about security.
Focus on identity and access. It is vital to focus on identity and access to achieve the best methods to define normal and abnormal user and entity behaviors.
If a threat actor wants to steal data from a network, he or she needs access to that data. The threat plane is comprised of identities and their associated credentials. That is the basis of access and the direct route to anything in an enterprise’s network.
Every security team needs to know who is in their environment, what they have access to, and what they are doing.
Apply analytics. Identity management too often resides in a silo, separate from security. Consequently, enterprises often perform rubber stamped certifications in separate systems. Those certifications cannot identify anomalies, as they possess an extremely limited visibility of the access risk plane while access cloning only amplifies the problem.
Having a horizontal plane of identity information for access and activity is critical for useful access risks analytics. When enterprises flatten out the environment and examine the entire behemoth of access and activity data, they can run identity analytics on the data. This creates a much richer context, where security teams can pinpoint excess and access outliers which otherwise would have gone unnoticed. It also enables a greater number of unnecessary access rights to revoked, while allowing access to be dynamically provisioned using risk scores.
Embrace machine learning. The ever-escalating volume of big data across cloud, mobile, and on-premise environments makes it impossible for traditional IT rule-based analytics to crunch data in a timely and accurate way. Machine learning is the future of data-crunching, and it is available now.
Machine learning uses automated and iterative algorithms to learn about patterns in data, detect anomalies, and identify a structure that may be new and previously unknown. It surpasses the capabilities of humans and software engineering to analyze large volumes and variety of data.
Be realistic about security. In today’s environment, organizations should not be asking, ‘If they will be compromised, but rather when.’ For most executives, this perspective frames the response: how can we determine when and where a breach happens so we can react in the most efficient way to bring the enterprise back into compliance and stability? There is no easy answer, but focusing on identity and access patterns to reduce the surface area and remove access risks is a great start.
About Saryu Nayyar
Saryu Nayyar is CEO of Gurucul, a provider of identity-based threat deterrence technology. She is a recognized expert in information security, identity and access management, and security risk management. Saryu also spent several years in senior positions at the IT security practice of Ernst & Young.