We broke down what correlation is, it's 3 main components, and what it means to identity and access management. It could also be important to your organization's security infrastructure.
3. It’s a question we keep discussing with prospects and customers…
And it’s clear there’s a lack of understanding around correlation
and its place in an identity management platform.
4. What is correlation?
When is it needed?
How does it support an identity management platform and
security infrastructure?
5. There are three kinds of correlation:
• Identity Correlation
• Event Correlation
• Behavioral Correlation
8. Identity Correlation – What is it?
Identity Correlation reconciles and validates proper ownership of
user account IDs throughout an organization & links ownership
of those user account IDs to individuals using a unique identifier.
In other words, Identity Correlation provides context to user
account IDs.
9. This is Jane Smith.
She works as a Marketing Manager
for XYZ Corp.
To XYZ Corp’s security technology
systems, Jane exists as JSmith.
Identity Correlation – How it Works
10. Identity Correlation links JSmith to the
access Jane needs to do her job.
As a marketing manager, Jane needs
access to Google Apps, Salesforce.com and
Hubspot.
She does not need access to JIRA, used by
the engineering team.
Identity Correlation – How it Works
JSmith
11. Identity Correlation can show data discrepancies, like if Jane
suddenly had access to JIRA.
If that happened, Identity Correlation would show XYZ Corp’s IT
staff that they need to remove that access for her.
Identity Correlation – How it Works
12. Identity management platforms should provide identity
correlation as a core function of the product.
Identity Correlation & Identity
Management
14. Event correlation looks at events happening in a window of time.
It is the process of examining events, interactions of events, and
then determining which events and interactions are important.
Event Correlation – What is it?
15. Event correlation is handled by a Security Information and Event
Management (SIEM) tool.
When properly configured, a SIEM tool will determine event
correlations and raise alerts when needed.
Event Correlation – What is it?
16. Event Correlation – How it Works
Jane logs into her computer in Barcelona…
…but then swipes her employee
badge in Jakarta…
That shouldn’t be possible!
A SIEM tool would alert her IT staff so
proper containment steps could be taken.
17. A SIEM tool directly handles event correlation, but receives
event logs from across the organization.
An identity management platform is a provider and producer of
activity logs for a SIEM tool. It also supports alerts from SIEM
tools to take action on risks.
Event Correlation & Identity
Management
19. Behavioral correlation is a relatively new term in IT security
because the industry has struggled so much with identity and
event correlation.
Behavioral Correlation – What is it?
20. Identity Correlation = deals with a current state of accounts
Event Correlation = examines events occurring within a window
of time
Behavioral Correlation = looks at a current event and compares
it to historical action patterns
Behavioral Correlation – What is it?
21. Jane typically logs into a US based device every weekday
between 9am and 6pm.
But if she travels to Munich and attempts to login, behavioral
correlation determines that this login does not match her usual
patterns.
That action could push a pre-set policy for this situation into effect,
requiring Jane to provide additional information, such as a one-
time password sent to her phone.
Behavioral Correlation – How it Works
22. Because it’s such a new concept, most identity management
platforms do not have the infrastructure to handle behavioral
correlation.
But it should live in identity management, so the most innovative
vendors are closing examining it.
Behavioral Correlation & Identity Management
24. In short, maybe…
It all depends on what you’re trying to do.
But your identity management vendor should be able to
help you determine which type of correlation you need.
25. As it relates to correlation, an identity management platform
should include:
• Identity Correlation as a component
• Ability to work in conjunction with a SIEM tool
• Future plans to offer Behavioral Correlation capabilities
26. To learn more about the different types of correlation, read
our guidebook, Do You Need Correlation?