Using Identity to Stop the Inside Attack

Despite steady investments in security, ever larger data breaches continue to dominate the news. Increasing IT complexity, driven in part by cloud, mobility, and social identity, continue to make the job of security teams even harder. A recent survey of 763 IT security decision makers and practitioners across North America and Europe conducted by CyberEdge and sponsored by NetIQ indicated that over 60% of organizations had experienced at least one breach in the past 12 months. Worse yet, a sizable percentage (15%) had experienced over 5 attacks within the last 12 months! It’s clear that current security approaches to identifying threats and responding to breaches are failing to address the challenges inherent in the new generation of cybercrime.


A closer look at today’s attack methodologies
A look back at the Top 5 breaches of 2013 found attackers fine tuning their methods to bypass traditional security controls. At Target, we saw attackers overcome strong perimeter defenses to install malware on POS systems. Attackers displayed improved social engineering tactics during a campaign of cyber intrusions targeted at natural gas pipeline sector companies dating back to December 2011. We also saw increased attention being paid to cloud service providers as demonstrated with the MongoHQ attack. Last, but not least, we saw the effects of the misuse of privileged user access rights by a defense contractor who was able to leak details of the NSA’s PRISM program.

The common thread among all of these breaches was that the victim organizations were unable to rapidly detect and respond to threats resulting from abnormal or inappropriate activity by internal users acting within their IT infrastructures. These victim organizations were not alone. Our survey indicated that when it came to being confident in their ability to investigate security breaches, only 27% of survey respondents were confident in their ability to perform root-cause analysis.

Whether it was a targeted attack by external cybercriminals using Target’s internal servers to consolidate stolen credit card data, or a lone contractor using his access privileges to download classified documents from top-secret government servers, malicious actors were able to successfully acquire the credentials of a trusted user or abuse their existing credentials to exploit vulnerabilities in the way we manage and monitor internal users that have access to sensitive data, systems or applications. When viewed in this light, it’s clear that ultimately all threat is “inside threat” because in the new reality of IT complexity, bad actors have more ways than ever to breach your perimeter defenses. They will get inside, and once there, can assume the identity of an insider to inflict great damage.

Too much information, not enough intelligence
Traditional security approaches are failing to defend against the newer generation of cyber-attacks. They rely too heavily on perimeter-based defenses and on security tools that are deployed as point solutions after the fact. With a perimeter that is larger and more porous than ever before, there are many more opportunities to breach defenses. And as the IT infrastructure expands and more security tools are added, even more security event “noise” is generated, often without a strategic imperative. Stretched thin security teams are left with mountains of data to analyze and make sense of. In the “noise”, the activities of internal users are often lost and it’s easy to lose track of what is normal user behavior. Security teams begin to miss critical indicators that may signify an attack. When security teams are unable to gain insight into activities and events that may signal a threat because of weak or missing security analysis, a security intelligence gap is said to exist.

Bridging the security intelligence gap with “identity context”
The solution to this problem is an integrated approach to security that incorporates additional context about users and events into security monitoring solutions. When defending against the inside threat, identity is a key source of context for understanding what is normal behavior for users within an organization. Integrating the “identity context” of events and users with privileged user management and monitoring tools can help security teams answer key questions such as: Who is accessing our sensitive data? Is this normal behavior for the individual? Is this activity authorized? Is this a threat? When security teams are provided security data that is enriched with “identity context” from across the organization, they are better able to cut through the “noise” of activity and quickly identify whether user activity poses a threat - and take immediate action if it does.

A new approach to addressing the inside attack - in three simple steps
According to the CyberEdge survey, IT security pros believe protection is weakest for their mobile and social IT domains. Organizations understand that emerging technologies are pushing the envelope of their traditional security programs and are looking for help.  Below, I outline an approach that is built on foundational security best practices, puts “identity” at the heart of good security controls, and plans for continuous security and compliance.

Step 1: Control and monitor privileged users
Focusing protection around the data that matters, and on the users that regularly interact with this data, is a security best practice that helps you to prevent insider attacks and limit the damages from an attack once they occur. This must be done throughout the entire user lifecycle and for service providers and contractors as much as possible. A good privileged user management and monitoring solution can help you reduce the privileged user attack surface.


    • Enforce a “least-privileges” policy. Assign the lowest level of user rights to a user while still enabling the user to do his or her job. This helps to reduce the risk associated from accidents from well-intentioned employees or from malicious outsiders targeting and gaining access to a privileged account with broad access rights.


    • Monitor the activities of privileged users. Make sure that changes and access to sensitive information is authorized. Security teams should be alerted in real-time of suspicious activity so that prompt action can be taken. Rich security information about the activity that details the “who, what, when and where” of an activity should provide the context teams need to take prompt action.

Step 2: Integrate “identity context”
Whether it’s applications, mobile devices or the cloud, as more data becomes available through these platforms with more users accessing this data even faster, tying heterogeneous identities and uniform access policies together and integrating this identity intelligence into security monitoring tools (such as privileged user management and monitoring tools) will become the preferred way to reduce the risk of insider attack.

The process of integrating identity intelligence with security solutions is called identity integration. This process gives you the ability to understand who the individual really is given that individuals will have many different accounts, and access many different services, both internally and externally. You can use the security intelligence that ensues from this process to decide if the user activity is potentially risky, unusual, or business-appropriate.

Integrated identity intelligence provides “identity context” about user activities to security monitoring tools, and answers key questions to enable decision-making, such as:

    • What applications has this user been using?


    • What actions have they been performing in those applications?


    • Are these actions business-appropriate?


    • Is the user activity unusual or anomalous?

The ability to identify when user activity is unusual, anomalous or outside normal business practices will help you reduce the risk of an external attacker posing as an insider, which is the way many Advanced Persistent Threats (APTs) work. It is equally helpful at reducing the risk of an insider maliciously or accidentally exposing your organization to a breach or service interruption.

The good news is that most organizations already have some type of identity and access management solution in place. According to the CyberEdge survey, privileged user/identity management, IAM, and user activity monitoring solutions are all seen as highly effective at reducing the attack surface from internal users, and are in place at many organizations. The data is already there; an automated process to aggregate identity intelligence and integrate it into security monitoring and breach response is all that is needed to help you to disrupt an attack and speed incident response before damage is done.

Step 3: Keep it rolling
The final step in the process is to implement a lifecycle approach to maintaining the security and compliance processes that you put in place to defend against the inside attack. We recommend the use of scheduled and automated compliance assessments and reporting to keep these security processes and controls in place. Additionally, automation helps to augment the resources of IT staffs and helps to ensure that security controls and assessment scale reliably and seamlessly across your IT environment whether your assets reside on-premises or at a 3rd party provider of infrastructure.

Next steps
Effective security must be powered by well-managed identity. By implementing more granular and business-appropriate access controls and tightly integrating identities into security monitoring, the security organization can respond to an attack quickly with the necessary information to limit or prevent a significant and damaging breach from occurring. When security data is enriched with “identity context”, it is transformed into truly actionable security intelligence that teams can use to disrupt an attack and speed incident response before damage is done.

Many vendors can provide identity, access and security management solutions. You must look for one that can give you the tools you need to aggregate identity information from across your IT infrastructure, and integrate this information into your security monitoring tools, delivering the essential “identity context” teams need to recognize – and address – potential attacks faster than ever before thought possible.


Identity & Access Mgmt
Security Operations