• United States




Using risk for adaptive security

Jul 24, 20174 mins
Machine LearningRisk ManagementSecurity

How automated responses to risk-scored activity can reduce threats.

Hacking stealing password data.
Credit: Thinkstock

Gartner recently introduced a security model for the digital age it calls CARTA (Continuous Adaptive Risk and Trust Assessment). The goal is to manage emerging risks and embrace change using an adaptive security architecture that leverages increased context for automated response. Let’s consider how automated risk response can help a company quickly identify and respond to security threats.

There are two basic types of closed-loop deployment models for implementing automated risk response.

The first, and most common, is the bidirectional type traditionally found in API integrations between security solutions. Here, when the risk score for anomalous behavior by a user exceeds a predetermined threshold, the appropriate security solution is alerted via API with the risk score, response code and incident details to mitigate the threat. This model can incorporate contextual data such as user’s physical location and relay status information to update machine learning models and further refine future risk scoring.

The second type of closed-loop risk response is process related, such as the generation of a self-audit report based on a triggered risk score. In this instance, the high-risk incident and profile is sent to the user, or project leader of a user, to request first-hand insights into the activity that is not available to security operations center (SOC) personnel. These risk score-driven reports may be generated on an ad hoc basis (for contextual feedback for specific incidents) or on a recurring, scheduled basis (i.e., weekly, monthly, etc.) for distribution as a routine self-audit review of high risk activity.

Next, let’s take a closer look at some actual use case examples of closed-loop API and process-based automated risk response in action:

High privileged access abuse

Risk scores identify high privileged access (HPA) account abuse by leveraging a combination of data sources for accounts, access and activity data (i.e., IAM, PAM, directory services platforms, SIEM or log aggregators, application events). A prime example of suspicious behavior that would generate an alert is assigning special or elevated privileges to the user’s own account followed by an activity or transactions outside the window of password value check-out and check-in time frame. Other high-risk activities include access to resources and transactions outside normal peer behavior profiles, abnormal access to classified or sensitive documents, as well as multiple concurrent sessions from the same account, different IPs, devices, locations, etc.

Step-up authentication

Risk scores per user or entity can determine access login challenges for a multi-factor authentication (MFA) solution via bidirectional API integration. For example, high-risk scores result in multiple challenges and increased security awareness for end users, while low-risk scores result in one challenge, or none, to remove friction from business process flows. This also known as adaptive authentication.

Risk scoring of DLP alerts

Automates the delivery of high-scoring alerts to project leaders and managers with the context required to determine whether an alert is valid or not. Feedback from this closed-loop also provides training to machine learning models to avoid future false positives.

SIEM alerts risk scoring

Provides a point of reference for SOC analysts to escalate or not escalate investigation into suspicious incidents, while decreasing alert fatigue and dead ends. Via bidirectional API integration, risk-scored alerts can be sent back to SIEM solutions to prioritize “find-fix” resources.

Self-audit and ID theft detection

While risk scoring helps detect anomalies and suspicious activity, its value increases significantly when supplemented with self-audit context from employees, partners and customers. They can confirm if they performed the high risk activity (and why), or whether their account was compromised by another user. This creates a powerful, collaborative closed-loop process flow between users and IT security that normally does not exist, and promotes deterrence and security awareness.

Access outlier remediation

By continuously monitoring access and activity, risk-scored access outliers can be sent to IAM systems to trigger a certification request by the account owner or manager. If access is revoked, the IAM system is updated and feedback via API informs the monitoring solution of the change in order to re-score the user or entity.

Risk-scored access certification requests

To eliminate the threats associated with the manual review of access certification requests, which most of the time are rubber stamped using the check-all-of-the-above option, each access request has a risk score assigned to it. This enables the account owner or manager to confidently approve low-risk scored requests, and investigate high-risk scored ones. This results in more revocations, which reduces access risk.

The combination of risk-based analytics with the API integration of layered security tools can enable automated responses to threats that would otherwise slip through the cracks in a siloed detection and protection architecture. This adaptive risk response model is one of those rare approaches in IT security where 1 + 1 = 3. 


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.