UEBA and IAM: Preventive, Non-Intrusive Control
Granting access to a user is an exercise in trust. This is why information security best practices preach following the principle of “least privilege” to mitigate the risk of trusting a user. But even when we give a user exactly and only the right privileges to do their jobs, we are still trusting them with those privileges and expecting them to use them for the right things.
An important part of trusting a user has been to determine whether that trust has been misplaced. Traditionally, this determination has been carried about by logging user behavior and aggregating it for consumption by security professionals. At best, one could expect a real-time notification of something very bad happening, but preventing the consequences of bad behavior has been very difficult. A complementary approach to logging and aggregating is to place preventive controls on what users can do with the access they have been granted. Data Loss Prevention (DLP) tools have been implemented with this objective in mind. They are very useful, but can be limiting to the business and have a negative impact on the user’s experience as they are doing their jobs. Users tend to resist this type of control and can often find ways around them to carry out the functions they have been tasked with.
User & Entity Behavior Analytics (UEBA)
User & Entity Behavior Analytics (UEBA) offers a new approach that bridges the gap between creating a preventive control environment that is palatable for end users. It improves the process of analyzing what users do with their access by applying big data principles and machine learning to patterns of user behavior.
A user’s access behavior is analyzed and measured against the behavior of others that are trusted with carrying out the same or similar job functions. This by itself is a huge step forward because it makes the task of truly monitoring user behavior significantly more feasible.
The prolific Identity and Access Management (IAM) data any enterprise already collects provides much needed context for behavior, and putting that data to work provides a powerful mechanism and preventive control for potential security incidents. Integrating UEBA with IAM creates a method for pro-active remediation based on the detection of real-time user behavior.
This remediation, if executed efficiently, serves a very similar function to the preventive controls that can slow a business down and make life difficult for the user. In a situation where there is a high probability indicator that a user is behaving in a manner that is not in line with the actions of their peer group, security professionals can take steps to investigate the behavior, or in more severe cases, immediately and automatically prevent the user from continuing with the suspect behavior.
Peer group behavior analysis allows you to let users do what they need to do to accomplish their jobs. As they go about their jobs a baseline is set, which we can validate using the IAM mechanics of access review and certification. Once the peer group behavior is baselined, behavior analytics becomes a preventive control that mitigates the risk of breaches while continuing to deliver a user experience that enables the business and keeps its users from the sense of frustration that comes from not being able to efficiently do their jobs. This intersection between identity management systems and user behavior analytics will be the new front in the battle against data breaches.
Learn more about this by joining us for our webinar on July 20th at 1pm Eastern Time, “Analytics and Identity – Closing the Loop.”