What is Behavior-driven analytics in cybersecurity

There’s an unfortunate truth about applications and access in the enterprise. Many applications are underutilized. This means patches and updates can fall down the to-do list of already-stretched IT service desks. Naturally, this increases the vulnerabilities – and opportunities for attackers.

Risks are compounded when many users retain access they no longer need, especially when it’s access to the most critical and sensitive resources.

Meanwhile, companies are finding it hard to track behavior across their increasingly hybrid environments, especially unsafe actions that would normally trigger an alert or lock down resources. In other words, Zero Trust is no longer possible, even as cloud infrastructures become more complex. A predicted 50% of critical enterprise applications will reside outside of centralized public cloud locations by 2027.

This is all happening at a time when criminals are searching for privileged credentials online. They’re not picky either: these credentials could be for fully utilized accounts, underutilized accounts or even applications for which the user has signed up but never logged in, because threat actors know many people use the same passwords across multiple accounts. In fact, 78% of surveyed Americans admit to password reuse, with 4% saying they use the same password across 11 accounts.

So, when there are incidents such as the Mother Of all Breaches, with over 26 billion records leaked, organizations have no choice but to face widened attack surfaces. And where there are gaps, such as between traditional identity governance and administration (IGA) and access management, threat actors will find and exploit them.

Traditional IGA and access management: Siloed challenges

Dig into many organizational environments and you’ll see how common it is to find silos between: 

Having visibility of what happens during access would inform the IGA tool and its governance decisions. But without connecting and converging these functions, it’s difficult to correlate user behaviors with the risks involved.

Fortunately, there is an antidote to these behavioral challenges, in the form of Behavior-Driven Governance.

What is Behavior-Driven Governance (BDG)? 

Behavior-Driven Governance (BDG) brings together access management and IGA, allowing organizations to bridge the silos and maximize security with a least-privilege model. By integrating OneLogin SSO and One Identity Manager, administrators get full visibility into accounts and entitlements. In practice, this means the access insights that comes from OneLogin can be used to guide and inform governance policy actions in Identity Manager. 

IT leaders and administrators can manage user access rights and entitlements to resources based on frequency of consumption. By linking access in this way, the principle of least privilege (PoLP) can be applied to make sure users only have a minimum level of access privilege and duration.

With heightened usage monitoring capabilities, it’s possible to recommend or automatically remove unnecessary entitlements and accounts. For example, if a user identity isn’t using an application, there’s the option to provide conditional removal with an attestation or to revoke access automatically.

How does BDG support IT administration? 

BDG provides governance-ready data around: 

  • Time since an account was logged into (connectors that provide this information are Azure AD (AAD), Active Directory (ADS), Google (GAP), OneLogin (OLG), Oracle EBS (EBS), Safeguard (PAG), SAP (SAP), SCIM (UCI/CSM) with some Starling Connect connectors, UNIX (UNX)
  • Log and event details relating to Identity Providers and SSO
  • Log and event details relating to applications

BDG offers benefits in four key areas relating to entitlements:

Increased security

Credential stuffing remains a major threat to organizations, as “abuse of valid credentials in 2023 accounts for 44.7 percent of all data breaches”. This is partly due to people using weak passwords (the world’s most common password is 123456), or reusing the same password across multiple accounts (admitted to by 65% of users in a Google survey). 

While organizations can’t always control the strength of employee password choices, BDG can help mitigate the potential impact. Any unused entitlements can be removed along with logins using insecure passwords. So even if a user has their login details compromised, that long-udead nused account can be closed and secured. That way, any of the associated risks, such as privilege creep, can be held at bay.

Stronger compliance 

BDG offers businesses the means to meet compliance where there’s a focus on limiting data access.

There’s PCD DSS Requirement 7, which states “critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know.” NIST SP 800-53 has access control requirements to enforce a least privilege principle when granting access rights. ISO 27001 policies include ensuring correct levels of access are only available to people with the correct levels of privilege.

By making sure only needed entitlements are granted, BDG enables organizations to meet auditor requirements around these and other laws and regulations.

Better governance 

Rigid forms of access control often aren’t suitable for dynamic enterprises where roles can change and attributes can overlap. Privilege creep can appear, and without fine-grained visibility there can be gaps in offboarding – with access and vulnerabilities remaining open to departed employees.  

BDG solves these challenges by managing entitlements using adaptive policies. These can change based on real-world identity behavior metrics like, for example, evaluating event data such as how often an application is accessed. If the usage is too low, BDG can flag this as potential unnecessary application-access and offer administrators the option to revoke access or take action.

Lower costs 

Of course, revoking unused and unnecessary licenses brings cost benefits to businesses too. There’s the potential to reduce subscription fees and also lighten the administrative load for license management. What’s more, evaluating current usage generates an auditable record of action taken to support evidence for security, governance and compliance. 

How is BDG different from other solutions in the same market? 

“Seamless” is a word that gets used a lot in IT. However, in this case, that’s what happens. Access rights defined in OneLogin can be used to inform governance decisions in Identity Manager – just one out-of-the-box solution for managing, making and modifying policy decisions. The main differences with BDG can be shown across four key areas: 

  1. Everything you need in one place: All the technical components required are provided by One Identity
  2. The solution is part of the Unified Identity Platform: This minimizes identity sprawl and protects against associated risks of fragmented access privileges, authentication, verification, analytics and compliance metrics.
  3. Less of a learning curve: Existing users of OneLogin and Identity Manager are already familiar with the ecosystem, so they have a head start in understanding features, functions and workflows.
  4. Integration instead of fragmentation: One system, for on-premises or cloud-based setups, ensures strengthened security and compliance across the attack surface while giving a clear audit trail that saves administration workloads and costs.

Out-of-the-box policies for BDG 

  • Unused account threshold: Set the number of days before a user account should be first disabled, then deleted. This generates a list of policy violations for further action, based on how many days until a user account is considered unused. 
  • Unused application threshold: This follows a similar process as the unused account threshold, where users can enter a value for the number of days until access to OneLogin applications is considered to be unused.
  • Available PAM policies (number of days until access to a privileged object, permission, or user is considered unused): These cover PAM usage across access options, asset accounts, assets, directory accounts, entitlements for groups and users, linked directory accounts, user groups used, user groups used by user, and more.

Through BDG, you have a hyperview of user accounts and identities, with membership information and all related data visible from one screen. There’s a similar single-pane view for company policies, with tabs to visualize violations, mitigate controls, view statistics and examine data usage. Other groupings in the web portal include requests, compliance, responsibilities and data administration.

There are also attestation tools with options to automatically start attestations of new policy violations immediately and include exceptions. Target system managers can be set as attestors with attestation policies predefined. Workflows can be streamlined with parameters set for approval policy, calculation schedule, time required and owner.

Reducing risks and costs with BDG 

BDG makes it possible to bridge the observability gap, a business-critical challenge in today’s era of beyond-the-perimeter enterprise operations. You gain a consistent view of identity, with different policies in use for distributed infrastructures that limit the ability to apply consistent governance and compliance procedures. This allows you to: 

  • Revoke unnecessary access: Enforcing least privilege, reducing the attack surface and lowering the probability for lateral movement to occur and remain undetected.
  • Simplify access attestations: Removing dormant, expired or unnecessary access so that supervisors can focus on validating existing users’ rights and privileges. They can provide more information when account or entitlement denial is required, create compliance policies to trigger alerts for lack of usage and focus resources on high interest events.
  • Streamline licensing costs: Deleting underutilized accounts means savings on licenses and operational overheads.
  • Secure blind spots: Identifying existing compromises for removal, preventing further access-related vulnerabilities.

To explore how BDG brings all this to your business, visit https://www.oneidentity.com/solutions/behavior-driven-governance/ to find out more, watch a demo and contact a consultant with any questions.

Anonymous
Related Content