Part II – Identity
As the business world continues to embrace cloud and mobile technologies, and any semblance of a secure network perimeter is being obliterated, it is imperative for cyber security pros to focus their efforts on the technologies and techniques that will have the greatest impact in the shortest amount of time for the greatest number of users. This is why focusing on identity management is increasingly seen as a sound cyber security practice. In a perimeter-less world, if you can know what people are doing on the network and can limit that activity and their access based on roles or other privileges, you will be far more able to thwart a cyberattack before it gets out of hand or even gets started. According to one highly placed security industry CTO, "If you could achieve that guarantee at all times, your problems would more-or-less be solved. And identity is foundational in that regard."
His premise holds that all breaches involve co-opting the identity of someone with network access. If you can shut down their access when suspicious activity is spotted, then you can stop an attack immediately. There are plenty of network monitoring and identity and access management (IAM) solutions that can help you do just that. Focusing on identity over perimeter defense also works well in a world where attacks are more targeted; where the attackers are looking to achieve certain objectives (like a document dump to WikiLeaks) or steal intellectual property. This micro-targeting doesn't require much skill to achieve either (social engineering and spear phishing attacks are quite successful, for example). When combined with the time-tested techniques of viruses actively masking their presence on the network (called polymorphism and metamorphism) it makes detecting malware much harder.
According to Gartner analyst Neil MacDonald, "[a]dvanced targeted attacks make prevention-centric strategies obsolete. Securing enterprises … will require a shift to information- and people-centric security strategies, combined with pervasive internal monitoring and sharing of security intelligence."
Specifically, he predicts by "2018, 80% of endpoint protection platforms will include user activity monitoring and forensic capabilities, up from less than 5% in 2013," and by "2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013."
By focusing on identities (and network visibility), security pros can go on offense. And given the nature of advanced persistent threats (APTs) that essentially lurk on the network monitoring behavior before launching an attack, as well as establishing multiple entry points in case one or more are detected and shut down. Since these threats are subtle, to thwart APTs it is essential to look for access and network data traffic anomalies that indicate an attack is underway.
Google Goes All In on Identity
This is why, at least in part, in 2014 Google embraced a radical new approach called to network security BeyondCorp "that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location—be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials."
Many users already employ IAM tools and feel their monitoring is appropriate but what they lack in many instances are the analytics to turn that monitoring into actionable insights, said Jon Oltsik, ESG senior principal analyst, in his column for NetworkWorld. Oltsik believes that user behavior analytics (UBA) is the next logical evolution of IAM as a security toolset. "In my opinion, UBA can accelerate the detection of APTs that emanate from a compromised user’s system," he said. He also believes the technology will be instrumental in stopping insider threats because it is "designed to do the heavy analytical lifting – an important point given the global cybersecurity skills shortage." If he, and others in the cyber security intelligentsia are correct, and there are viable solutions that can be implemented today, then maybe cyber security will soon come to mean just what it says instead of the oxymoron it is today.
Learn more about identifying your highest risk score first.