Using risk for adaptive security

Gartner recently introduced a security model for the digital age it calls CARTA (Continuous Adaptive Risk and Trust Assessment). The goal is to manage emerging risks and embrace change using an adaptive security architecture that leverages increased context for automated response. Let’s consider how automated risk response can help a company quickly identify and respond to security threats.

There are two basic types of closed-loop deployment models for implementing automated risk response.

The first, and most common, is the bidirectional type traditionally found in API integrations between security solutions. Here, when the risk score for anomalous behavior by a user exceeds a predetermined threshold, the appropriate security solution is alerted via API with the risk score, response code and incident details to mitigate the threat. This model can incorporate contextual data such as user’s physical location and relay status information to update machine learning models and further refine future risk scoring.

The second type of closed-loop risk response is process related, such as the generation of a self-audit report based on a triggered risk score. In this instance, the high-risk incident and profile is sent to the user, or project leader of a user, to request first-hand insights into the activity that is not available to security operations center (SOC) personnel. These risk score-driven reports may be generated on an ad hoc basis (for contextual feedback for specific incidents) or on a recurring, scheduled basis (i.e., weekly, monthly, etc.) for distribution as a routine self-audit review of high risk activity.

Next, let’s take a closer look at some actual use case examples of closed-loop API and process-based automated risk response in action:

High privileged access abuse

Risk scores identify high privileged access (HPA) account abuse by leveraging a combination of data sources for accounts, access and activity data (i.e., IAM, PAM, directory services platforms, SIEM or log aggregators, application events). A prime example of suspicious behavior that would generate an alert is assigning special or elevated privileges to the user’s own account followed by an activity or transactions outside the window of password value check-out and check-in time frame. Other high-risk activities include access to resources and transactions outside normal peer behavior profiles, abnormal access to classified or sensitive documents, as well as multiple concurrent sessions from the same account, different IPs, devices, locations, etc.

Step-up authentication

Risk scores per user or entity can determine access login challenges for a multi-factor authentication (MFA) solution via bidirectional API integration. For example, high-risk scores result in multiple challenges and increased security awareness for end users, while low-risk scores result in one challenge, or none, to remove friction from business process flows. This also known as adaptive authentication.

Risk scoring of DLP alerts

Automates the delivery of high-scoring alerts to project leaders and managers with the context required to determine whether an alert is valid or not. Feedback from this closed-loop also provides training to machine learning models to avoid future false positives.

SIEM alerts risk scoring

Provides a point of reference for SOC analysts to escalate or not escalate investigation into suspicious incidents, while decreasing alert fatigue and dead ends. Via bidirectional API integration, risk-scored alerts can be sent back to SIEM solutions to prioritize “find-fix” resources.

Self-audit and ID theft detection

While risk scoring helps detect anomalies and suspicious activity, its value increases significantly when supplemented with self-audit context from employees, partners and customers. They can confirm if they performed the high risk activity (and why), or whether their account was compromised by another user. This creates a powerful, collaborative closed-loop process flow between users and IT security that normally does not exist, and promotes deterrence and security awareness.

Access outlier remediation

By continuously monitoring access and activity, risk-scored access outliers can be sent to IAM systems to trigger a certification request by the account owner or manager. If access is revoked, the IAM system is updated and feedback via API informs the monitoring solution of the change in order to re-score the user or entity.

Risk-scored access certification requests

To eliminate the threats associated with the manual review of access certification requests, which most of the time are rubber stamped using the check-all-of-the-above option, each access request has a risk score assigned to it. This enables the account owner or manager to confidently approve low-risk scored requests, and investigate high-risk scored ones. This results in more revocations, which reduces access risk.

The combination of risk-based analytics with the API integration of layered security tools can enable automated responses to threats that would otherwise slip through the cracks in a siloed detection and protection architecture. This adaptive risk response model is one of those rare approaches in IT security where 1 + 1 = 3.