It Takes Two to Manage Identity Risk: Your Identity and Security Operations Teams

Today’s industrial revolution is driven not by steam engines, machine-based automation and factory systems, but by the power of cloud, mobility and machine-based analytics. It’s an exciting time filled with opportunity—and risk. Digital transformation brings digital risk, and identity risk is quickly rising to the top of that list.

To mitigate and respond to identity risk, identity and access management must evolve to combine insights from traditional sources with those from the Security Operations Center (SOC).

Who Is this User? Should They Be Granted Access? IAM Holds the Key

Identity and access management helps answer two questions: Who is requesting access and what should they have access to? But with new phishing attacks launched every 30 seconds, passwords alone are no longer sufficient to deliver reliable answers. Modern identity and access management can leverage behavioral analytics and machine learning, combined with multi-factor authentication, to instill greater confidence in identity claims. Patterns of behavior, as compared to peer group or past history, frequented locations and familiar devices can all bolster a user’s claim while simultaneously providing a more transparent user experience. But even these solutions have their limitations. Most are capable only of guarding the front door. They cannot recognize identity risk post-logon and do nothing to thwart insider threat.

How Are Users Behaving After They Are Granted Access? Your SIEM Knows

While identity and access management focus on letting the good guys in (with minimal friction), security information and event monitoring (SIEM) is used by the SOC to detect the bad guys that get beyond this first layer of control. Independently, identity and SIEM systems each see only half of the bigger picture. Together, they form a powerful closed loop to detect and respond to identity threats.

When imbued with identity context (including corroborating evidence from the identity and access management layer), the SIEM can go beyond packets and logs to correlate events with a compromised user account. And when a threat is detected, the SOC can take immediate action by instructing the identity layer to quarantine/block the account or require the user to complete a stricter step-up authentication challenge. Finally, identity and access management can inform the SIEM if step-up authentication is successful, thereby helping to identify false positives.

In today’s high-stakes, high-risk environment, an organization that aims to reduce identity risk must foster cooperation and collaboration between identity and SOC teams. Each holds a piece of the identity puzzle, and only by sharing insights through tighter integration between them can organizations successfully manage identity risk.

Ready to learn more about identity and access management working together with other systems? This webcast on integrating identity and SIEM systems is a good place to start.