This summer, Integral Partners participated in several national cybersecurity, identity and access management and privilege management conferences and webinars. A recurring theme was the growing role of artificial intelligence (AI) and machine learning (ML) and how these technologies will support security efforts in the modern enterprise. Our team found the signal amid the marketing noise, but what was left unsaid were fundamentals organizations must have before adding these technologies into their security operations centers.
Benefiting from these technologies requires significant IAM maturity. Beyond some of the more obvious fundamentals, if your organization has addressed some of these challenges with your information security and IAM program, AI/ML should be considered in 2018:
- Deployed a consolidated password policy across all devices for all users, and preferably a single password for each user all devices. There may be policy variations for application accounts, privileged accounts, or federated accounts, but all heartbeat and non-heartbeat users should have distinct and secure passwords. Applying the same password policy at all endpoints and applications helps defend against credential stuffing attacks, and requires that you have deployed an Identity and Access Management solution that can control all the accounts that access your corporate resources.
- Deployed multifactor authentication, excluding knowledge-based authentication and SMS two-factor authentication. This small amount of friction helps to prevent stolen credentials to be used to impersonate privileged users and helps set the stage for AI analytics that decide when a user should be required to provide MFA in addition to a password. This MFA could take the form of an app on each user’s mobile that generates a one-time code, an app that uses push notifications, or an email notification.
- Deployed and integrated access controls for heartbeat and non-heartbeat users. This could be privilege escalation technologies, password vaulting and check-in/checkout technologies, or a combination of these. Users should have the minimum permissions to perform their role. AI analytics tools can then consume these data to help organizations understand the ‘normal’ behavior of users and to identify unusual patterns or risks.
For the purposes of this perspective, we didn’t include session monitoring or integration with SIEM solutions in our list of fundamentals. While relevant, the healthcare and financial verticals are drowning in thousands of security alerts from SIEM solutions daily, and according to Cisco’s 2017 mid-year report, they’re only able to investigate around half of those alerts. Third parties avoid detection due to the sheer volume of cyberattacks occurring, and companies are unable to hire enough qualified security analysts to determine real threats from false alarms.
The premise of machine learning and artificial intelligence is to supplement human security analysts’ efforts in investigating the rising tide of daily security alerts. All major vendors are touting AI/ML in their roadmaps, although not all vendors are currently shipping products. In theory, a well-trained artificial intelligence solution will be able to identify and prioritize attacks for human defenders to remediate.
For example, consider a targeted healthcare company under attack from concurrently distributed denial of service (DDOS), ransomware, and credential stuffing attacks, all of which are potentially launched from different third-party attackers. Under this scenario, human defenders are less likely to look at the lateral network movements of other privileged administrator accounts, trusting their colleagues are working together to defend against multiple attacks. This smoke screen attack methodology would allow a third party with stolen insider credentials to move laterally inside the company’s network and exfiltrate data with minimal suspicion. However, an artificial intelligence solution leveraging user identity insight would correctly identify the administrator account is behaving unusually and transferring atypical amounts of data to previously-unseen network locations – a likely threat. Under this scenario, the AI would notify the human defenders to act against the rogue insider threat.
Integral Partners recommendation is if the foundational elements of security are currently in place, companies should plan their 2018 budgets to rapidly deploy modern security defenses by incorporating machine learning and artificial intelligence before becoming the next news story of a corporate breach.