Identity Management: The Key to SOC Success or Failure
Whether an attacker is breaking into your organisation or a malicious insider is trying to exfiltrate data using legitimate access, there is little argument that both attacks require a level of system identity to act on the target. Modern enterprise ICT systems leverage a variety of technologies to attest to the identity of users, but understanding the when and how is equally important.
Identity Management: Seamlessly Identify and Authenticate
Enterprise solutions must be able to deal with more than just the simple username/password combination of old. Hybrid technology comprises cloud-based as-a-service offerings, on-premise applications and data sources published via APIs, all of which are accessed by a combination of permanent, contract and casual staff. Single-sign-on is now essential given the number of disparate systems the workforce interacts with, so the identity and access management solution used by the business needs to be flexible and complete enough to deal with any architecture and any application.
Furthermore, most enterprises have shifted to a multifactor authentication solution to better protect their systems and data, especially for remote access and privileged access, where the risk of compromise is higher.
With such complexity in the enterprise, it has become difficult to distinguish between legitimate users and those that wish you harm. For this reason, security solutions need to hook into each of your identity stores and take events from the access management solution that show what’s happening.
Identity Management: Auditing User Activity
Identity and access management systems need to be tuned to provide the most appropriate audit trail of what’s happening on your systems. Firstly, log files and individual security events need to record an accurate time, allowing you to correlate activities across multiple sources and produce a timeline of actions taken by the user – this is an essential component of any forensic investigation. Most enterprise systems require a consistent time source these days, but if you are hooking into cloud-based solutions that are hosted in another country (for example), logs may present time in a different format, so you’ll need to find a way to transform timestamps into the format your security team can work with.
Introducing Rules and Data Correlations
Once you are happy that you can establish a timeline, you can start introducing rules and data correlations into your monitoring system that analyses user behaviour. The security team can use a security information and event management (SIEM) system to detect anomalies or indicators of compromise that alert them to a threat, and from there they can launch an investigation to see what’s really going on.
The information or systems your users access should be recorded in your logs, then your SIEM can build a profile of what normal looks like for any given user and if something changes or looks out of the ordinary the SOC team can investigate. It is worth noting that some user activities are riskier than others, so you need to understand what should be baselined, since focusing too wide across your whole enterprise, rather than on what’s important, will see your SOC team overloaded with worthless investigations.
Investigate how information is being accessed
Look at how your users are accessing your applications rather than if they are accessing them. If they have suddenly started accessing a critical business application from home after midnight at the weekends rather than from the office during the day, this could indicate an attack. It might be as simple as the user wanting to catch up on some work and this was the time they chose to do it; however, it could also indicate the user has been offered another job and is taking your customer database with them. Alternatively, their account may have been hijacked. Either way, your security team now needs to investigate to see what is going on.
Identity Management: Behaviour is The Key
Having a better understanding and view of user behaviour will soon become one of the most crucial aspects of detecting threats, especially as the complexity of systems grows. Luckily, systems that record user behaviours and report on anomalies are available today, and Huntsman Security’s Behaviour Anomaly Detection (BAD) technology is one of the most advanced in the market.
BAD establishes a dynamic, multi-dimensional baseline of normal user, system and network behaviour across the whole enterprise, continuously monitoring for activity that deviates from these learned patterns. An anomaly is then passed to the Automated Threat Verification (ATV) engine to assess and verify whether it’s a legitimate threat or not, thus allowing for automated remediation – saving time and analyst effort.
This removes the administrative burden on the SOC analyst for continually developing new correlation rules relating to behaviour, which are often the most complicated rules with the highest degree of false positives. Automation fixes this problem.
Behavioural Analysis is a discipline
It’s also worth considering, however, that behavioural analysis is more than just your technology solution. Rather it’s a discipline that demands attention from analysts who have the inquisitive mind of an investigator. The best implementations use a combination of great technology (like BAD) and talented investigators to get to the truth of the matter. Security investigators provide the oversight needed to complete the investigation, since automated systems can be tuned to detect anomalous behaviours but can’t recognise motive.
Set your SOC on the path to success
Good identity management is pivotal in the success or failure of your SOC, it is the cornerstone of any good security architecture. It’s not only about providing access, it’s about recording who has accessed what information and when.
The identity and access management solution’s logs and security events provide some of the richest information your system can produce, if the log sources and systems are tuned correctly. When the right information is ingested into a behavioural analysis tool such as BAD, the system can then build a profile of what normal looks like and use that baseline to greatly assist your security team in locating threats.