How to Use Identity, Behavior and Risk to Prevent Compromised Credentials
Identity, Behavior and Risk. Identity, Behavior and Risk. Almost like a mantra. Think about it for few seconds. Identity, Behavior and Risk are the 3 main pieces of evidence that security personnel would like to deeply understand so they can protect their organization and users from credential compromise
Identity: so I know who I am letting into my domain.
Behavior: so I know they are following guidelines when they are in my kingdom.
Risk: so I can predict potential to sabotage.
I believe we can all acknowledge that our identity is complex. It is more than just credentials or social security number. It folds in many layers of data points, some of which are dynamic and changing. You can think of Identity like a personality. And a few have multiple personalities. In security, Identity is defined by a combination of data points and behavioristic vectors facing multiple directions. For me, Identity is more than your location (such as were you live, work or visit), it’s more than the routes you follow from one place to another, it is more than just your personal details and data (including the valuable piece of all – our mobile number!), it’s not only about the photos and online profile, it is based on our history and background, and it is also about socializing, how we blend and how we interact with our peers.
There are many types of entities in organizations. User accounts, computers and even service accounts and scripts all have multiple layers of complexity that are dynamic and constantly changes. For example, I am not the same guy I was 10 years ago and obviously not 20 years ago. Nor do I follow the same exact activities and interactions all the time. This is why when security analysts want to prevent credential compromise, they need to understand identity and the many factors associated with them. Here are the key requirements to understanding Identity at a point in time:
- Get real data in real time – examine actual data in real time and look forward for patterns (in addition to backwards looking), because you want to examine what accounts are doing right now. No just what they already did. Same as you would for your business — it is important to have continuous delivery from employees and past achievements are important and impact their future performance.
- Get relevant contextual data and cross reference – examine behavior in multiple dimensions like you would do when you hire a person. Cross reference them from multiple sources and compare activity. For example, you may want to compare if a user is behaving similarly on premise and when they are connecting from home sitting around in their underwear.
- Analyze relations – understand who are the peer accounts based on various changing factors such as physical proximity, roles and more. Then compare their behaviors to identify legitimate behavioral changes.
- Profile – it may not be politically correct to admit it and even debate — but yes, as humans and animals, it is natural for us to profile people and categorize them before we even get to know them. This is allows us to manage huge piles of data pieces. We classify and judge based on role, location, what we do, what we did, what we wear and you know all the rest. It is a risky sphere and in order to avoid prejudice it is recommend to focus on behavior. Having all data accessible centrally, in a structured manner and constantly up to date such as a profile page is crucial for understanding users.
- Continuously monitor – I admit, I care about my online and physical presence. I want my FICO score to be perfect. I prefer my reputation at home and work to be spotless. I don’t want my identity to be stolen, manipulated or abused when so many others are. It’s important to continuously monitor, assess, measure and then compare behavior, including peers activity. That way it’s easy to detect changes and realize if there is actual change or abuse in a repeatable way. Similar to getting notification from your credit card company letting you know there is a deviation in your card activity.
Put it all together
To sum, when we understand Identity and Behavior and we can measure Risk we as organization or single persona can adapt our reactions accordingly. For example, as people we may address messages differently based on a person’s profile, same as an organization may respond differently based on the identity, behavior and risk levels. This can then be used for security, for training, for staff appraisals, coaching and other uses.
Posted by Eran Cohen on January 25, 2018 10:00 AM