Identity Analytics and Security Intelligence
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  security intelligence analytics ibm identity
0 Comments | 3,856 Visits
While much has been made about analyzing data to generate business intelligence, many of those same principles can also be applied to the concept of security intelligence. We can leverage security information gathered from all different points across an IT infrastructure and relate one event to another with the intention of identifying and remediating threats. The more data we can normalize and correlate, the more security intelligence we can begin to build and develop. We can put together different puzzle pieces in order to help us develop a better understanding of what it is we're looking at.
In security, the creation of meaningful data, and the automated analysis of that data, presents us with the opportunity to really wrap our heads around the overarching challenge of information security, and Identity and Access Management is an excellent example of this. Historically, even with identity and access as a core foundation of information security, you may view the task of user provisioning and the administration of access rights as more of a technical, systems management challenge. X person needs access to Y files, a system admin checks/verifies your rights and either provides or denies access. While that is all well and good, if you are an executive and concerned about the possibility of something like insider threat, that approach to identity and access management isn't particularly helpful and won't provide you with the understanding that you are probably looking for. However, this technology was in a position to tell us more.
First, logging into something can be a meaningful event on your network, and with it comes some pretty useful information, such as who is touching what and when. If you are trying to assess what happened during a security incident, or looking for anomalies, that information is invaluable. It is also most valuable when it can be understood within the context of other activity from across your IT Infrastructure. The promise of security intelligence is the ability to understand one activity or event within the context of another.
Secondly, role based analytics can help transform identity and access management into a far more strategic and manageable initiative. In a company of thousands of people, provisioning identities and access rights individually is neither practical nor effective. It also reduces your ability to make larger, more meaningful business decisions. However, if you take a role-based approach to security, where you group common people based on common access needs, you can start to do a better job of defining what types of people are accessing what types of information. Not only is this approach more efficient and scalable, it helps provide insight into which users have access privileges that aren't consistent with other similar users. Perhaps someone changed roles and can still see things they should no longer be able to see. This example might represent a security risk, and identifying that risk means that business leaders can now take steps to decide how to manage that risk. On the one hand you might remove those rights, on the other hand, organizations are complicated and not everyone will fit neatly into a defined role. Understanding which users have risky access profiles gives businesses something meaningful that they can monitor.
This field of Identity analytics is an area that IBM is investing heavily in. At the end of 2011 we acquired Q1 Labs, a Security Information and Event Management company that helps organizations do a better job of analyzing and understanding all of their different security events and data.
Last week we announced the introduction of IBM Security Role and Policy Modeler, an addition to our identity management product that will help organizations take a strategic approach to what is becoming an increasingly more relevant business challenge.
Security Role and Policy Modeler is now available as part of IBM’s software for policy-based identity and access management governance offering. The new software allows companies to efficiently collect, clean up, correlate, certify, and report on identity and access configurations. Specific new functions include:
· Scoring metrics and analytics that give business users the ability to produce a more effective role and access structure. Users can be identified by specific role they play in an organization. For example, a marketing team manager can only allow employees to access marketshare data but not human resources information.
· Clearer view into the role structure —such as organizational hierarchy charts, and access exceptions due to business needs -- that can be managed throughout the users' lifecycle. For example, if an employee moves from one department or function to another, that employee can be assigned--or restricted from--accessing particular applications or business assets based on their role structure within the organization.
· Single web-based interface to create, apply and validate roles that have multiple members. For example, a "physician" can be the group role and "cardiologist" or "radiologist" is the member role. Each role can be assigned different access and can be mined to identify outlying behavior and validated for violations.
IBM's Security Role and Policy Model is based on IBM Research innovation. IBM has a rich history of innovation coming out of our research labs. IBM set a new U.S. patent record in 2011, marking the 19th consecutive year that the company has led the annual list of patent recipients. IBM inventors earned a record 6,180 U.S. patents in 2011, including more than 100 security-related patents, adding to more than 3,000 patents in IBM's security portfolio. The 2011 patents granted include advances in identity intelligence for authenticating user identity when resetting passwords, verifying personal identity and detecting fingerprint spoofing.
By leveraging innovation in areas like identity management, analytics will continue to not only play an increasingly significant role in both how we manage and provision user identities and access rights, but also how data around user activity can be understood in the broader context of a company's overall security posture.
For more information, listen to our webcast on simplifying identity and access governance with effective role management.