• United States




Beyond risk scoring

Feb 13, 20174 mins
Identity Management SolutionsSecurity

Unlocking its full potential requires closed-loop responses

diverse group of millennials holding up score card numbers
Credit: Thinkstock

Risk scoring is not an end in itself once it shows up color coded and normalized between 0 and 100 in a security operations center (SOC) dashboard. To provide real value it must be supplemented by a closed-loop response process that can automate defensive measures or responses with little or no human intervention.  

So, what is a closed-loop response process? One example involves implementing ‘step-up authentication’ where individual risk scores are leveraged. If a user has a high risk score from a behavior analytics solution, perhaps they are presented with three authentication challenges, if their risk score is low, only one challenge.

This method can make multi-factor authentication (MFA) more acceptable to users. It also raises security awareness among high-risk users, especially those with privileged access credentials. In some advanced deployments, passwords are not required when the behavior analytics risk score is low and the user identity and device profile is assured, thus removing friction for the business process.

How does it work? One effective method is to use machine learning to generate behavior analytics to determine risk scores for individual users and entities. For maximum value, the risk scoring should come from both access and activity data sources versus simple field validations and ranges. Providing the risk scores requires an API layer supporting bi-directional integration between complementary security solutions such as the MFA example above.

There are obstacles however. What if the desired security, access or business application does not have an API for bi-directional integration? This is a key factor, since this model requires the integration of multiple sources of information to produce valid risk scores. It’s critical to bi-directionally share risk scores, data and desired automated response actions between solutions to detect unknown threats, reduce access risk and improve processes.

For example, IAM systems are central to managing identities, accounts and privileges for users and groups. As such, they provide a critical data source for producing identity analytics which enable a risk-based approach for access certifications, requests and approvals. This eliminates rubber stamping of certifications and access cloning, which inevitably results in fewer unnecessary privileges and lowers access risk.

The closed loop deployment of identity analytics with IAM solutions via bi-directional API enables the following. First, the IAM solution is a data source for the behavior analytics solution to produce identity analytics (or identity access intelligence) to reduce excess access and access risks, as noted above. Second, the behavior analytics solution can monitor the IAM solution to detect access outliers to invoke an access certification request from the account owner. If the access is revoked, the IAM system removes the access and notifies the behavior analytics solution so the risk is removed and risk re-scoring processes begin.

Beyond access outlier remediation is the concept of dynamic access provisioning where a low risk score enables an access request to be provisioned without human approval cycles. This can speed up business process workflows. In fact, some enterprises have been able to eliminate human review and approval for more than one-third of access requests using this closed-loop risk scoring approach.   

However, all these examples require bi-directional API integration. This open API concept is often called the ‘democratization of data’ and the future of using analytics for security requires it.

My best practice recommendations are to inventory your current solutions to gain an understanding of the output data they produce. This will help determine whether machine learning can be applied in order to assess risk and score activity. Data that is maintained in silos with limited or no access will impede both the success and use cases for risk scoring and closed-loop responses.  

Next, inventory all APIs to verify where bi-directional API integrations for desired closed-loop response deployments are available, and then where risk scores can determine policy actions between systems. More simply put, the magic happens when you can provide the most valuable source data for behavior analytics to drive risk scoring. And where upstream systems can leverage scores to reduce risk and eliminate manual processes. That is a beautiful two-way street. 

How do you keep score? Head to Facebook to comment.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.