• United States




You can steal my identity, but not my behavior

Apr 19, 20174 mins
Access ControlAnalyticsCSO and CISO

Time is ripe for transition from identity to behavior based security model

behavior facial expressions emotions
Credit: Thinkstock

The compromise and misuse of identity is at the core of modern threats and data breaches. This has been documented for years and continues to escalate. As a result, we are rapidly approaching the end of life for password-based security and centralized access. Legacy controls and architecture are due for replacement. So, what should replace them?

There’s no one silver bullet. However, one approach appears to be bubbling up to the surface. It’s the shift from Identity- to behavior-based security.

Identity Access Management (IAM) infrastructures were originally built to enable user convenience, with few security features built in. They moved us from the barbaric manner of connecting individual users to applications via IP attributes to provisioning access to multiple users across vast networks of systems. At one time, identity was the new security frontier where we threw money and energy to exert control. And, now, that’s so yesterday.

Our organically cobbled IAM systems have run their course. We can no longer solely use identity-based security to determine who are the attackers and who are the victims. Furthermore, we have limited control over what users are doing on the network, and often lack the ability to determine what they have access to and under what context. The current IT environment has evolved far beyond the point where it can be managed via identity-based security policies and tools.

We’ve entered a new era of fragmented components of users, applications, data lakes, hybrid environments – where the network perimeter has faded. As a result, we must rethink our current practices to embrace the next security paradigm that lies beyond identity, and instead focuses on behaviors.

This new model establishes a perimeter that relies on the behavior of individuals and their peers to determine both identity and integrity. As an example, at the last NH-ISAC conference, Facebook demonstrated how it is currently implementing this brave new approach. The company now assumes users’ passwords and devices are already compromised and analyzes over 80 attributes to determine the identity of the user prior to authentication. Meanwhile, this year’s winner of the 2017 RSAC Innovation Sandbox competition, UnifyID, combines 100+ sensor data attributes from everyday devices (smart phones, smart watch, etc.) to authenticate users, achieving a more than 99.999 percent true positive rate.

Another promising development is private block chains which can provide key advantages for data integrity. Blockchain technology helps facilitate digital trust by building tamper-proof digital vaults to protect connected users and devices, define their access permissions and bring redundancy into the system. Authentications are implemented on a device-to-device basis, without reliance on a central authority or passwords. The October 2016 DDoS attack on Dyn brought down a large number of websites via a botnet attack called Mirai, which hijacked over 100,000 vulnerable IoT devices. This incident forced the security issues with IoT security to the frontline and could have been prevented by using blockchain technology.

At the government level, the US Department of Homeland Security (DHS) is working with an emerging company, Factom, to determine whether blockchain can be used to limit would-be hackers’ abilities to corrupt the past records for a device, making it more difficult to spoof. Factom’s technology secures data for private and public organizations by publishing encrypted data or a cryptographically unique fingerprint of the data to their immutable, distributed blockchain. Analyst firm Gartner has identified blockchain as one of 2016’s hype cycle emerging technologies that organizations should track to gain competitive advantage.

The opportunity to know more, and to know it much more quickly, is upon us. Organizations are already storing large volumes of users’ digital footprints in data lakes. These resources can be mined to identify user behavior patterns and reduce access risk. This knowledge can dramatically improve the veracity of authenticating users and enable detection of anomalous events and potential threats. Powerful machine learning models when applied to relevant data attributes can provide the answers needed for implementing a behavior-based security perimeter now.

Behavioral fingerprinting of user and entity activities and access is a huge leap forward from the current declarative defenses that rely on rules, signatures and patterns for detecting known bads.  

Let us know your thoughts, head to our Facebook page.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.