Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Complicate, detect, respond: stopping
cyber attacks with identity analytics
Michael Davis and David Chan
Ernst & Young
Tit...
1 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong...
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
Corporate boards and audit committees are taking a greater int...
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Attack chain
MarFebJan Apr May Jun Jul
Self-
destruct
Backdoor
drop
CnC...
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is identity analytics?
Identity analytics is the process of discov...
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is identity analytics?
 Frequency – user performs malicious activ...
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Identity analytics works based on clustering algorithms
Jane Doe
Class ...
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How identity analytics fits into the IAM lifecycle
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Risk-based and data driven – the basis for successful
identity analytic...
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Identity analytics service conceptual architecture
Business leadership
...
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Identity analytics are comprised of existing operational
reporting and...
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Case study – health care enforcement of least privilege
 Misuse of pr...
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Combining outlier analysis with activity monitoring to
target investig...
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Case study – telecommunications privileged access
monitoring
 Without...
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The centralized service automatically analyzed the
logs for risky acti...
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Growing need for intelligence-driven,
analytics-based platforms
Adapti...
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
IAM 3.0 – Identity analytics plays a key role in securing
digital iden...
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Key takeaways
 Organizations need to take steps to complicate their e...
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global...
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2V...
Upcoming SlideShare
Loading in …5
×

Complicate, detect, respond: stopping cyber attacks with identity analytics

1,079 views

Published on

Corporate boards and audit committees are taking a greater interest in cybersecurity and plans to mitigate related risks. Headline-grabbing data breaches are prevalent. Shareholders and oversight bodies are concerned about the potential impact to their organizations’ financial well-being and reputation.

Today, cyber adversaries are well-organized and well-funded, and they are more able to enter commercial and governmental organizations than ever before. No company has the capability and capacity to prevent all attacks. The only way to operate securely is to assume a breach has occurred, is occurring and will occur. This requires “complicate, detect and respond” mindset when developing and automating controls.

For more information, please visit http://cainc.to/Nv2VOe

Published in: Technology
  • Be the first to comment

Complicate, detect, respond: stopping cyber attacks with identity analytics

  1. 1. Complicate, detect, respond: stopping cyber attacks with identity analytics Michael Davis and David Chan Ernst & Young Title or Division SCX15S #CAWorld Security
  2. 2. 1 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract Corporate boards and audit committees are taking a greater interest in cybersecurity and plans to mitigate related risks. Headline-grabbing data breaches are prevalent. Shareholders and oversight bodies are concerned about the potential impact to their organizations’ financial well-being and reputation. Today, cyber adversaries are well-organized and well-funded, and they are more able to enter commercial and governmental organizations than ever before. No company has the capability and capacity to prevent all attacks. The only way to operate securely is to assume a breach has occurred, is occurring and will occur. This requires “complicate, detect and respond” mindset when developing and automating controls. Michael Davis David Chan EY Senior Managers
  4. 4. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Attack chain MarFebJan Apr May Jun Jul Self- destruct Backdoor drop CnC server commands Escalate privileges Recon Expand Exfiltrate Compromised” is the new normal. Today’s attacks are sophisticated and cannot be completely prevented. Acquire target, sneak in, hop around (Perimeter doesn’t help) Get privileged access to critical assets (Access controls and known threat signatures are ineffective) Conduct the crime for an extended time (Early detection and continuous monitoring matter) The traditional approach to access controls and signature-based detection are ineffective against modern attacks.
  5. 5. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is identity analytics? Identity analytics is the process of discovering and detecting highly sophisticated cybersecurity threats that are not detected through the traditional approach to access controls and signature-based threat detection. Identity analytics enables organizations to identify high-risk situations, detect threats and perform continuous monitoring:  Behavioral – user performs activities that deviate from the scope of practice.  Peer group – user performs activities that deviate from that of the user's peers.
  6. 6. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is identity analytics?  Frequency – user performs malicious activities on a low-and-slow basis to avoid detection.  Geo-location – user performs activities from an unusual location for the user’s profile.  Segregation of duties – user has combinations of access that will allow the user to perpetrate fraud.  Excessive access – user has excessive access based on the user's peers, job functions, etc.
  7. 7. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Identity analytics works based on clustering algorithms Jane Doe Class ID: “5120” Manager: “Tony Oliver” Job title: “Settlement analyst” Cost center: “1265” Department: “Settlement” 97% 62% Cohesiveness 100% 99% 100% 99% outlier probability
  8. 8. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How identity analytics fits into the IAM lifecycle
  9. 9. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Risk-based and data driven – the basis for successful identity analytics  A standardized risk management methodology, coupled with consistent language, is the foundation to promote consistency, alignment and efficiency. – Identification of “crown jewel” assets – Prioritization of source integration – Integration with complementary business risk and security functions  Quality data received from enriching sources is required to enable accurate decisions, reduce false positives and align data from disparate sources. – Asset inventory – Entitlement catalog – Policy exceptions – Control mapping
  10. 10. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Identity analytics service conceptual architecture Business leadership Identity analytics system Identity analytics system Security investigation Identity information (direct pull from HR) Existing log data collectors (direct pull from systems) Business owner generates logs (manual upload) Application activity logs (direct pull from systems) Business and IT managementBusiness and IT management InformationData Stakeholder aligned Risk-based reports and events Risk models, use cases, custom queries and patterns Identity-based transactions and events Security and network operations center(s)
  11. 11. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Identity analytics are comprised of existing operational reporting and newer big data technology
  12. 12. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Case study – health care enforcement of least privilege  Misuse of privileged access granted for a legitimate job function was allowing insiders to disrupt systems and processes, placing both brand and revenue at risk.  Objectives of the least privilege monitoring: – Identify inappropriate access for job function – Reduce the likelihood of over-granting access – Correlate records access with customer interactions  The least privilege monitoring service was achieved through the integration of activity data from source applications, entitlement inventory and the provisioning engine.
  13. 13. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Combining outlier analysis with activity monitoring to target investigations Jane Doe Outlier 99% probability Title “Sales service” 99% JobKey “1A11” 100% Division “Service” 100% Manager “Tony Luke” 97% Usage 100% Outlier analysis identified users whose access did not align with peers. Event data was correlated to identify events where users gained access without “purpose.” Application event logs Provisioning engine Entitlement inventory Peer analysis Investigation events Remediation team (privacy, business, security) Least privilege dashboard Least privilege monitoring
  14. 14. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Case study – telecommunications privileged access monitoring  Without adequate logging and monitoring, it was a challenge to detect high-risk transactions in “crown jewel” applications. – Centralizing the service provided the opportunity to improve incident response and proactively detect risky activity.  Objectives of the central activity monitoring service: – Reduce the manual effort and burden on the application teams – Reduce risk of rubber-stamping by analyzing logs based on:  Rules developed during the onboarding process  Standard heuristics, such as time of access and peer group analysis – Generate summarized risk-based activity reports for application owner sign-off  Monitoring service was achieved through the integration of data from source applications, entitlement inventory, provisioning engine and security information and event management (SIEM) tool
  15. 15. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The centralized service automatically analyzed the logs for risky activity Summarized risk-based reports Workflow integration for review/sign-off App owner review/sign-off Privileged activity monitoring service Security investigation (future requirement) App elevated activity logs (direct pull) Identity information (AD/LDAP/QAR System) Existing log data collectors App owner generates logs (manual upload) Feeds 1 2 3 4 5 6 7 Escalate (if needed)
  16. 16. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Growing need for intelligence-driven, analytics-based platforms Adaptive security – dynamic defense Intelligent security – active defense Integrated security – defense in depth Perimeter security – network defense PC-centric security – antivirus defense Technology paradigm New controlsSecurity challenge Technology paradigm New controlsSecurity challenge Technology paradigm New controlsSecurity challenge Technology paradigm New controlsSecurity challenge Technology paradigm New controlsSecurity challenge  Personal computer  Desktop applications  Preventing virus and worms from infecting software and operating systems  Internet  Remote computing  Social networking  Mobility  Mobile/BYOD  Cloud  Big data  Internet of things  Pervasive data  Threat intelligence  Malware breach detection  Cyber analytics  Cloud-based security  Stopping disruptive attacks (DDOS)  Advanced persistent threats  Insider threat  Managing the security data tsunami  Gain better visibility over information assets (apps, devices, networks)  Detect and respond to attacks through an integrated mechanism  Defending the perimeter  Protecting e-commerce  Enterprise firewalls  Intrusion detection/prevention  Authentication controls/PKI  Vulnerability management  Web application security  Antivirus software/end point protection  Encryption  SIEM  Unified threat management  Secure web gateway  Data loss prevention  Information centric  People centric  Virtualization  Artificial intelligence  How to protect digital ecosystems  How to protect data outside the gates  How to continuously adapt in a cost effective manner 1 2 3 5 4 Current state
  17. 17. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD IAM 3.0 – Identity analytics plays a key role in securing digital identities
  18. 18. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Key takeaways  Organizations need to take steps to complicate their environment, detect potential incidents, respond to identified incidents and educate employees on the threat landscape.  Without quality data, analysis time will increase and decision-making will be reduced.  Identity analytics should be operated as a service connecting to GRC tools, integrating with SOC capabilities and sharing knowledge with risk and audit functions.  A common definition and risk management method to deploy and continually improve the analytics capability.
  19. 19. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  20. 20. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2015 Ernst & Young LLP All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
  21. 21. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×