ntxissacsc4 - identity as a threat plane leveraging ueba and ida
TRANSCRIPT
IdentityasaThreatPlaneLeveragingUEBAandIdA
MarkMandrinoDirectorUEBA
Thecompromiseandmisuseofidentity isoftenatthecoreofmodernthreats
Copyright©2016Gurucul.Allrightsreserved. Slide2
IdentityisaThreatSurface
InsiderThreats
AccountHijacking
DataExfiltration
CyberFraud
AccessAbuse
Copyright©2016Gurucul.Allrightsreserved. Slide3
IdentityisaPerimeter
ExcessAccess
AccessOutliers
AccountVolume
OrphanAccounts
Rule-basedRoles
PrivilegeAccess
Copyright©2016Gurucul.Allrightsreserved. Slide4
Objectives
PredictRisk
ThroughIdentity(UEBA)
ReduceAttackSurfaceArea(IdA)
IDENTITY
Copyright©2016Gurucul.Allrightsreserved. Slide5
User
AccountsEntitlements
Copyright©2016Gurucul.Allrightsreserved. Slide6
IDENTITYProfile
10,000Identitiesx 10AccountsEachx 10EntitlementsEach1,000,000Entitlements
Copyright©2016Gurucul.Allrightsreserved. Slide7
PopularUseCase:PrivilegeAccessAbuse
UEBADetectPrivilegeAccessAbuse
NeedPrivilegeAccounts…
Morethan50%ofPrivilegeAccessisUnknown
PrivilegeAccountList/Report
DirectoryIAM/PAMDiscovery?
IdADetectPrivilegeEntitlements
EntitlementsDefinePrivilege
MachineLearningEnhancesIAM&PAM
NewApproachRequired
Copyright©2016Gurucul.Allrightsreserved. Slide8
BigDataMachineLearning
Usershaveatrailofdigitalexhaustascontextformachinelearning
User/EntityBehaviorAnalytics(UEBA)
IdentityAnalytics(IdA)
CloudSecurityAnalytics
Identity
Accounts
Access
Activity
Risk
Copyright©2016Gurucul.Allrightsreserved. Slide9
DataSources=Context
IdentityAccessManagement
PrivilegeAcct.Management
Directories
SIEM/LEMs
FW/VPN/SWGs
CloudApps
NetworkFlows
Databases
Authentication
File/Storage
ThreatIntelVulnerabilities
Copyright©2016Gurucul.Allrightsreserved. Slide10
User&EntityBehaviorAnalytics
DetectingtheUnknownUnknowns
Copyright©2016Gurucul.Allrightsreserved. Slide11
Machinelearningbuildsbaselines(250+Attributes)LearnnormaltodetectabnormaluserbehaviorsLeveragepeergroupsforclusteringtodetectoutliersDynamicPeerGroupsprovidemoreaccuracy
Copyright©2016Gurucul.Allrightsreserved. Slide12
Step
1:B
ehavioral
Machine
Learning
Machinelearningfocusesonanomalies&riskscoringLeveragesbehaviorpatternsandthreatlibrariesLearnstime-basednorms(acceptedworkflows,operationalchanges)180+MLModels
Copyright©2016Gurucul.Allrightsreserved. Slide13
Step
2:Predictive
Machine
Learning
• Largemanufacturingcompany• ConcernedaboutIPdatatheft• Knownbaddefenses(SIEM,NGFW,etc.)• FocusedonidentitywithUEBAdatascience
CASESTUDYMonitorUse
SeconddayusingUBAdetectedtwohijackedresearchaccounts
• Largeinsurancecompany• Collaborationwithusersviaselfaudit• UsershavemorecontextthanSOCteams• StartedweeklyreportstoHPAaccounts
CASESTUDYSelfAudit
EnduserPTOonWednesday,reportonFridayshowsaccountactivity,compromised3.5years
UEBA:UseCasesAccountCompromise/HijackingAccountSharing/AbusePrivilegeAccessAbuseDataExfiltration/ProtectionIntellectualPropertyProtectionInsiderThreatDetection&DeterrenceSelfAudit&IDTheftDetectionCyberFraudTrustedHost/EntityCompromiseStep-upAuthenticationAnomalousBehaviorWatchListsSIEMRiskIntelligenceDLPRiskIntelligenceHybridBehaviorAnalytics
Bi-directionalAPIIntegration
UI
Closed-Loop
IdentityAnalytics(IdA)
Copyright©2016Gurucul.Allrightsreserved. Slide17
Administration Activity
IdentityAnalytics
Contextual,dynamic,risk-basedapproachforidentityaccessmanagement
Whohasaccesstowhat?
Whataretheydoingwithit?
IdABe
nefits
• Avoidtherubberstamp• Risk-basedcertifications• Increaserevocationrates
AccessCertifications
• Avoidusercloning• Risk-basedrequests• Risk-basedapprovals
AccessRequests&Approvals
• Rolereconciliation• Intelligentroles• SoD monitoring
AccessPolicies&Roles
• Orphan&dormantaccounts• Unusedrolesandgroups• Excessaccess&accessoutliers
AccountClean-up
• Privilegeaccess,sharedaccounts,andmisuse• Activitymonitoringforbehavioranomalies• Real-timealerting/response
MonitorUsers
Copyright©2016Gurucul.Allrightsreserved. Slide18
BigDataAnalyticsFunnel
BigData/DataLake
SecurityAnalytics(SIEM,DLP,NBA,EDR,CASB)
BehaviorAnalytics(UEBA)
IdentityAnalytics(IdA)
PrivilegeAccessAnalytics(PAA)
On-Premise Cloud
Copyright©2016Gurucul.Allrightsreserved. Slide19
IdentityAccessIntelligence
ReduceExcessAccessRisksDetectAccessOutliersDefineIntelligentRolesRisk-basedProvisioningEnableAdaptiveAccess
RadicallyReduceIdentityThreatPlaneExposure
Copyright©2016Gurucul.Allrightsreserved. Slide20
• LargeFinancialInvestmentCompany• RecognizedIdentityasaThreatPlane• Focusedon‘managingaccess’withIdA• IdA basedonbehavioranalyticsdatascience
CASESTUDYManageAccess
83%ReductioninAccountsandEntitlements,definedIntelligentRolesfor11businessunits
IdA:UseCasesExcessAccess&AccessOutliersOutlierAccessClean-up(OIM)PrivilegeAccessAnalyticsRisk-basedCertificationsRisk-basedAccessRequestsDynamicAccessProvisioningRole-AccessReconciliationRoleMining&IntelligentRolesAccessGovernance&SoD MonitoringDormant&OrphanAccountMgmt
Bi-directionalAPIIntegration
UI
Closed-Loop
CloudAnalyticsPlatform
NewToolsTransition
SIEM/LEM
Rules- QueriesStatistics- Correlations
ThreatHunting
BigDataWarehouse
MachineLearningAlgorithmsUser/EntityBehaviorAnalyticsIdentity&PrivilegeAnalyticsCloudSecurityAnalyticsPredictiveRiskScoring
Machinelearningcansurpasswhathumansandsoftwareengineeringcandetect
UNKNOWNKNOWN
Copyright©2016Gurucul.Allrightsreserved. Slide24
NewApproachRequired
Copyright©2016Gurucul.Allrightsreserved. Slide25
UEBA&IdA areforcemultiplierstransformingSIEM,IAM/PAMandDLP
GetitRightCopyright©2016Gurucul.Allrightsreserved. Slide26