News

Digital identities: how to effectively counter the associated risks

12 May 2022

Author

Redazione Axitea

To effectively counter the risks associated with the use of digital identities, we must increase our dynamic defence capabilities, focusing on the behaviour of apparently ‘regular’ users and monitoring their deviations from defined patterns of behaviour in real time.

A good approach in this respect could arise from the development of a new posture monitoring system through two types of solutions.

The problems of digital identities

The cyber threat landscape has become increasingly complex and infrastructures are increasing their access points every day in order to be responsive to new business needs: externally exposed applications, internal credentials assigned to external consultants, and BYOD policies are good examples.

Several best practices regarding the prevention of cyber attacks show how the user is at the centre of the impairments and shift the responsibility for identity hygiene to the end user; the new IAG (Identity Access Governance) technologies, on the contrary, aim at delimiting the perimeter of user action to only the actions necessary to deal with the impairment, assuming that it has already taken place and that the impact of access to systems must be mitigated (concept of segregation of duties).

The future of next-generation computer security is precisely the union of two subjects and worlds: the technical world of user behaviour analysis solutions and the management world of assigning profiles and identities to each user in order to optimally implement the zero-trust concept.

Identity hygiene and profiling of corporate users

When we talk about identity hygiene, we mean the process of profiling corporate users using advanced IAG platforms with the aim of governing the users and being proactive in terms of change management.

Every IAG activity is based on two pillars: authentication and access; two components that must be conjugated with all the facets that this entails in order to manage identity and access policies of applications on the premises and in the cloud.

In the future, these platforms will increasingly be the orchestrator of corporate users in order to be able to unequivocally track the privileges assigned to each user through a unique ‘footprint’.

The difficulty is to be able to map the roles and actions that users perform on applications in order to be able to offer a Role-Based or Attribute-Based model and then to generate reports to populate the User Entity Behaviour Analysis technology.

Automating user provisioning

Change is the constant in an organisation: onboarding and offboarding must be approached with an overview and an automated system cannot be disregarded in order to be able to manage it better. The provisioning of users must have a very low margin of error, as must the elimination of credentials of figures no longer present in the company, and in this area a technology of this type can be key.

The automation of these processes becomes increasingly important in order to relieve mechanical processes assigned to helpdesks, and in this respect, IAG technologies have adapted over time.

How does user analysis help security teams speed up detection and investigation? At any given time, companies should ideally be able to answer several key questions: Who is trying to access my systems? Where are they entering from? Who accesses the systems? What do those users do once they have logged in? Are there anomalies to be addressed?

Real-time analysis of user behaviour

UEBA solutions (User Entity Behaviour Analytics), help precisely in answering these questions: they are advanced platforms for real-time analysis of user and entity behaviour, a type of IT security process that takes note of standard user behaviour, updating it according to the daily automatic learning of any differences in the pattern through Machine Learning models and algorithms.

Such platforms are able to verify deviations from the patterns defined (and updated in real time) and report such deviations in real time to the company’s event monitoring and control structures. UEBA is designed to process huge volumes of data from various sources, including structured and unstructured datasets.

It can analyse data relationships over time, between applications and networks, and analyse millions of bits to find ‘meanings’ that can help detect, predict and prevent threats. These threats can be summarised in the following types:

suspicious changes in the behaviour of employees and third parties;
compromised user accounts or entities;
data exfiltration;
abuse and misuse of privileged access;
violations of an organisation’s security policies.

The synergy between these two ways of dealing with corporate security will be the winning model for several reasons.

UEBA engines, by their very nature, generate a significant amount of false positives, which often have to be managed by dedicated teams or service providers; the possibility of enriching the detected alerts with the company’s provisions on the actual nature of the profile of the user who performed the action can much better clarify the activity perimeter of the analysed entity; finally, in the presence of a SOC (Security Operation Centre), all the right information for managing the event can be provided.

Secondly, it will be much easier to protect assets that are accessed in hybrid mode by users working remotely or consultants; in fact, it is a system that is populated and in turn populates itself day by day, improving the effectiveness of the prevention of illicit access, in fact, the anomalies detected may range from deviation from the acquired patterns to attempts to raise privileges without the necessary consent.

Source: Article by Marco Bavazzano, CEO Axitea published on CyberSecurity360