Deconstructing Identity Analytics for Higher Risk Awareness IDY-W02F Deconstructing Identity Analytics for Higher Risk Awareness Jackson Shaw Sr. Architect OneIdentity.com Jackson.Shaw@OneIdentity.com

Session Goals Introduce you to the concept of Identity Analytics and Intelligence (IAI) Understand how IAI can benefit you and your organization How powerful tools like Cloud-based Analytics and Machine Learning relate to IAI The value of community-based information as a benchmarking tool Other Ideas Why Identity is a good place to start It’s more than just User Behavior Analytics Comments (does anyone care about machine learning)

What is identity analytics & intelligence “Identity analytics is the next evolution of the Identity Governance and Access (IGA) market. “Identity analytics is the discipline that applies logic and science to identity and access data to provide insights for making better IAM decisions. Identity analytics tools employ features that move organizations toward a contextual, dynamic, risk-based approach to IAM. With identity analytics, the organization can bridge the gap between administrative controls and runtime activities, detect and remediate malicious behavior, and make more informed access policy decisions.”

Identity Analytics – Thru the context of RISK Assumption: There are bad actors out there. What can we do to proactively reduce our risk surface? Who are my high risk users? Discover and establish a user risk profile baseline Am I aware when/if someone goes from a low risk to a high risk user? Am I aware when/if someone goes from a high risk user to a low risk role? (i.e., internal transfers) What can I do to eliminate unneeded risk? Do I have users with unneeded or anomalous entitlements? Do I have users with dormant entitlements? How can I assert that the existing risk aligns with the business needs? Do I have the context I need to make a decision?

Identity Analytics and Intelligence What’s needed? (imho) Real-time, cloud and community based Data maintained longitudinally Leverage new (and hip) technologies like machine learning ML allows computers to find hidden insights without being explicitly programmed where to look Initial feeds related to user activity would be sourced from various systems: Directories (AD, AAD, LDAP, etc) Privileged Account Management systems Firewalls SIEMs & Firewalls NOTE I hacked this slide and diagram to remove the focus on behavior analytics and put the focus on entitlement grants and anomalous/dormant access

We already understand the current state of identity Users, resources and entitlements everywhere Change is constant Bad actors are looking to exploit weaknesses Entropy is the enemy How does Identity Analytics help make sense of this current state?

Entitlement Grants are Harvested Identity Analytics harvests entitlement grant data from data sources All the harvested data is sent to the Identity Analytics cloud service for processing

All entitlements are not created equal Identity Analytics possesses a huge index of identity and entitlement grant data Fact: Not all entitlements are created equal Solution: Classification!

Entitlement Classification Rules Entitlement grants are run thru a series of entitlement classification rules The rules identify and filter the high risk grants “Out-of-the-box” rules for quick processing Turn-key but customizable Basic Example: Granted the ability to reset a domain user’s password in Active Directory Grant the ability to enable disabled domain user accounts in AD

Community insights Entitlement classification rule usage data is shared across the community Gain insights into how the community views the definition of a “high risk” entitlement grant Today: Usage statistics Tomorrow: Machine Learning and Recommender Algorithms “We recommend these 17 classification rules based on your data sources” “Other companies or your size or vertical are using this classification rule” “Review this new classification rule that 43% of other companies have adopted”

Reduced Risk Surface Example option with full graphic

The baseline is established: Now What Identity Analytics can dig deeper But first… With a baseline of entitlement grants established: Identity Analytics can alert when a normal user acquires high risk entitlements! Anytime a user acquires a high risk entitlement it is an opportunity to determine if this was an approved/accepted activity. Checks and Balances.

Peer Group Analysis: Anomalies Further analyzing peer groups provides deeper insights Find anomalous entitlement grants Anytime a user acquires a high risk entitlement it is an opportunity to determine if this was an approved/accepted activity. Checks and Balances.

Peer-group Analysis…

Peer-group Analysis Here’s a concrete example and some appropriate questions: Does Alice’s behavior coincide appropriately with her role? Is this acceptable behavior? Should she have access to Asset X? Is she part of PreSales?

Dormant Access Identity Analytics reviews entitlement usage to determine if there are unused grants Eliminate unused or unneeded grants which are significant security risks Help you identify what in-use, high-risk grants should be vaulted in your favorite privileged account management system DL2317523401 Anytime a user acquires a high risk entitlement it is an opportunity to determine if this was an approved/accepted activity. Checks and Balances.

Entitlements & Entropy Entropy = “gradual decline into disorder” Why can Jason do “X” and I can’t do the same? IAI isn’t just about identifying risk – it’s also about untangling years of entropy that have set in across all your systems.

Micro-Certification IA finds anomalous or unused entitlement grants, but ultimately lets the business decide what’s acceptable Real-time and contextual versus scheduled and unrelated Certify on high-risk change versus change Anytime a user acquires a high risk entitlement it is an opportunity to determine if this was an approved/accepted activity. Checks and Balances.

Entitlements & Entropy

Entitlements & Entropy

Machine Learning Intelligence Machine learning is a method of data analysis that automates analytical model building. Using algorithms that iteratively learn from data, machine learning allows computers to find hidden insights without being explicitly programmed where to look.

Machine Learning Insights over Time

Apply What You Have Learned Today When you get back to work: Educate your managers and staff that identity is a key indicator of risk in your organization and that identity is composed of credentials that may significantly span your organization, contractors, partners or customers. What reconciliation program is in place to manage these identities? Within a month: Inventory what identities could be considered high-risk, and why. Perform a peer-group or cluster analysis of privileged identities. What revelations were in the data? Within a quarter: Highlight the effectiveness or need for an identity & risk analytics system.

Thank you! Questions? Jackson.Shaw@OneIdentity.com Follow me on Twitter @JacksonShaw