Evaluating IAM solutions can be complex. Understanding how to evaluate security analytics is key to making decisions.
In this day and age of Machine Learning (ML), analytics systems can become very complex, very quickly. Having some basic rules and seemingly simple questions to ask will come in handy when evaluating such systems. In this blog, I’ll lay down some basic rules which will help in evaluating and choosing the right IAM and MFA solutions, especially if you’re looking for solutions based on User and Identity Behavior Analytics (UEBA/UBA), Identity Analytics or general Security Analytics. So, let’s dive in!
Security Analytics is all about generating insights by collecting, preparing, and analyzing data from various sources. With these insights, automated responses are orchestrated that can help IT and security teams stay ahead of malicious actors and attacks to mitigate risk. Traditional Security Intelligence tools have largely focused on collecting logs and event data from networking and infrastructure sources to generate those insights and automate responses. However, in today’s perimeter-less world, where Identity is the only true perimeter, adopting a Zero Trust approach to reduce risk requires these systems to leverage the rich information generated within Identity and Access Management systems and embrace the concept of User Behavior Risk.
Consequently, Identity and User Behavior Risk analytics needs to be a key component of any security analytics strategy, which involves intelligently protecting access to critical resources from potentially risky users. Pretty much all Identity Access & Management (IAM) tools these days claim to be able to adapt to risky situations and offer some sort of “adaptive risk access” through identity and user behavior analytics. It then becomes challenging to differentiate between these tools, especially given all the technical complexities coming with the various mechanisms that can be deployed when analyzing data, for example, Rules engine and Machine Learning. IT and security personnel tasked with analyzing and testing these tools therefore must consider the following simple, yet powerful rules of thumb when analyzing such tools.
Remember – The more contexts, the more the fidelity and reliability of the tool. If you have garbage going in, you will have garbage coming out.
Analytics is all about quality of data, its comprehensiveness and the data science that drives how well it is analyzed (also known as the Model). Quality refers to how well cleaned, prepared, and wrangled the data is for downstream consumption. Comprehensiveness refers the various contexts and sources from which the tool collects data from. By “how well,” it means not just the quantity of data but also what algorithms, encoding and normalization techniques are used to efficiently and accurately extract identity behavior and assess for risk in a continuous manner from an optimally sized dataset.
This is critical especially when dealing with large volumes of data over a lengthy period of time. For example, when a user accesses an app, he/she uses an endpoint device (such as a mobile phone), from a location, traverses a network comprising firewalls, gets authenticated, assumes a role, and then performs some activity. A good IAM tool is able to gather information from all of these contexts (device, location, time, network, directory services, roles-based access etc.) and then “learns” about access patterns over a period of time.
Automation is key.
Okay, so you are able to “intelligently” and “continuously” gain visibility into the various behavioral patterns of identities, but are you also able to protect the critical resources that may be under attack? And what does protection entail? Here again, remember the various contexts. A good tool is able to protect the end point, step up authentication and employ the strictest of assurance levels through Multi-Factor Authentication (MFA), limit access through coarse grain Roles Based Access Control (RBAC) and fine grain entitlements management and log malicious activity and notify the right admins and users. And all of this happens seamlessly and “automatically”.
Automation goes hand in hand with Orchestration.
The right IAM tool is able to “Orchestrate” with other key IT and SIEM tools such that other workflows and remediation methods may be invoked in an automated way leveraging such technologies as webhooks, APIs and exchanging information through standard event formats and programmatic interfaces.
UBA based continuous authentication must lead to better end user experience!
Deploying this tool must not come at the cost of user experience. Period. One of the most significant challenges that IT and Security teams face these days is protecting the identity perimeter while keeping the good identities happy! Continuous risk assessment and stepping up security only when required is a must then, and the tool must offer this through the right policy knobs, which can go fine grain to the application level.
Now that the rules have been established, do visit our product portfolio and sign up for a free trial to see how Idaptive will help you address and achieve these through our UEBA based adaptive MFA and Access Management solutions.