Enterprises are deploying more cloud services, embracing DevOps, leveraging on-premises applications and exploring other productivity and cost optimization solutions. As a result, it is becoming harder for them to know who within the organization has access to what and how that access is being used or, as we found out in our latest survey, being misused.
In this new digital age, the static notions of good and bad, inside and outside, cloud and on-premises, etc. are too limiting. None of these will help prevent the next security breach, just like they did not prevent the last one.
“To securely enable digital business initiatives in a world of advanced, targeted attacks, security and risk management leaders must adopt a continuous adaptive risk and trust assessment strategic approach to allow real-time, risk and trust-based decision making with adaptive responses,” to quote Neil MacDonald and Felix Gaehtgens at Gartner, in reference to Gartner’s continuous adaptive risk and trust assessment (CARTA) approach.
Continuous Is Key
At Preempt, this is what we have learned from working with customers for the past three years: Things change. Security organizations don’t know when projects change, users move from one department to another, shifts are modified, or when role changes occur. As a result, they lack visibility over who has access to systems and applications, and more importantly, which access is no longer required.
Over time, it becomes difficult to distinguish between legitimate and suspicious legitimate access. Therefore, the leading cause of successful breaches – Compromised Credentials - cannot effectively be identified until it is too late. If every transaction could be evaluated for risk, then access could be granted with confidence.
The CARTA approach is aligned with the architecture of the Preempt Platform. The realization that identity matters and being able to adapt in real-time is becoming obvious now to most organizations. What is harder is figuring out how to extend their security infrastructure so that it can easily embrace an approach based on creating and enforcing policies using identity, behavior and risk.
Once you get past role-based Identity like Privileged users, regular users, executives, contractors, etc., the behavior behind the identity is just as important. A graduated scale of responses is required and a flexible policy ensures the right level of response. Having a grayscale set of responses - Allow, Email Notify, SMS, Isolate, MFA, Block, etc - that adapt based on changes in behavior is the embodiment of CARTA. And a flexible policy ensures that enterprises can customize responses to their specific enterprise security policies.
The third leg of this stool is Risk which looks at factors such as activity, password strength, location,encryption levels, asset value, and more. When you combine identity, behavior and risk, what you get is a view that can allow you to make effective, real time decisions on whether to allow, disallow or more importantly, verify identity to enable the business process if the person is who they say they are and allowed to do what they need to do.
For example, if a privileged user suddenly begins to access multiple new applications, that is a change in behavior. By combining identity - in this case privileged identity - with the behavior and other context such as similar user activity, location, or whether the user is coming from their own laptop and during normal business hours, it may be determined that the risk is high and this access attempt may or may not be an account compromise. In addition to a multi-layer cyber logic assessment, having the user verify their identity in real time via Multi Factor Authentication is a simple, yet effective approach to ensure security.
Another example is when service accounts are behaving abnormally. In this case, the response could either block the transaction or have a human user validate the change in behavior of the service account. In both cases, you allow the business process to take place, ensure security and do not overwhelm the security organization by having them chase false alarms – a trifecta!
Learn & Integrate
Extensibility is another key aspect that enterprises should be embracing. With the right platform its possible to gain even more value out of the solutions already in your organization. What if you were able to add secure and step up authentication for critical applications and any other network resource based on user identity? Even if apps are legacy or custom, it is now easy to add secure authentication in front of any application.
For example, a SQL server login process may not support MFA. With Preempt Any App, MFA can be added for any application or network resource without needing to make changes to the process or application. MFA can be integrated at the network layer when the user accesses the application. An additional layer of security is added with a simple rule in the policy engine – without the extra cost and time consuming integration challenges.
Preempt With Confidence
Preempt’s customers have driven this expansion in the Preempt solution with today’s introduction of the Preempt Platform. Strategies are shifting to become continuously adaptive and responsive in real-time to threats that will require more situational context. The Preempt Platform enables a transition for more accurately identifying anomalies by analyzing the behavior, the type of user, risk, application and asset being targeted, which is severely lacking in the market today.
Responding to threats by combining identity, behavior and risk is a necessity as the enterprise perimeter dissipates and static policy based solutions to identify and respond to threats are ineffective.