SDP and risky users: A surgical approach to secure access

In a bid to protect their networks, many organisations are faced with three lousy choices: allow, deny, or log, when IM tools flag a risky user. One of these options blocks the user, while the other two let a potentially malicious actor into the system. Network security need not be so invasive.

“The weakest link in the security chain is you,” the old fraud security adage goes. What this means is that we humans can be duped, tricked or even bribed, and that can be all it takes to breach even the most well-guarded security perimeter. Whether deliberate or by accident, “insider threats”, as they are called, can be as devastating to an enterprise as a well-coordinated and sustained cyber attack.

This is the prevailing point of view; 78% of IT professionals think employees have put data at risk accidentally over the past 12 months. Worse still, 75% believe employees have put data at risk intentionally, according to a recent survey of global IT leaders.

Organisations trying to protect against the human element of threats have their work cut out for them. They are tasked with overseeing a broad mandate, part of which includes risky user accounts. These can take the form of abandoned accounts that haven’t been used to log into anything for a period of time. Or accounts that have access to privileged or sensitive data and applications, as well as orphaned accounts that can provide access to corporate systems, services and applications, but no longer have a valid owner.

Organisations know the risky user issue very well, which is why they are most likely leveraging one or more identity management (IM) solutions to help assign risks to these three categories. Those tools may include:

• User and entity behaviour analytics – Analytics tools are used for monitoring end user activity to build a user baseline over time. Once this takes place, machine learning technology can distinguish between normal user activity and unusual or anomalous behavior, which can be flagged as suspicious.
• Identity governance and administration – Used for compliance management that helps support an organisation’s IT security and regulatory compliance, by ensuring the right people gain access to the right things at the right time.
• Privileged access management – These tools combine shared access password management, privileged sessions, privileged vendor access, application access and other management tools and technologies to secure, control and monitor access usage to critical data and systems.
• Identity and access management – This includes passwords, authentication, access control, etc, to control access to information within the organisation.

If your organisation has negligent users or malicious insiders doing abnormal things at abnormal times (for example, logging in at 3am on a Sunday, or accessing an account from China when the user has never travelled outside of the US), then risk can be assigned to these users with IM solutions.

But as we stated in our Better Together: AppGate SDP and ITSM blog post, failing to integrate siloed IM solutions with security tools makes it challenging to protect against security threats. In the case of risky users, organisations are asking themselves how to manage the risk posed by these careless or malicious actors in a way that doesn’t interfere with the day-to-day business.

From blunt force trauma to surgical strike

In some cases, people flagged as risky users are, well, not so risky. The problem of false positives, if they get out of hand, can become invasive and bring a legitimate user’s productivity to a screeching halt.

For example, your security or IT team identifies a potential risky user issue and turns on additional logging to investigate. Logs are pulled and tickets are created during a process that can take days or longer. During this time, the “risky” user’s account access may be fully disabled so that the user is unable to do any meaningful work – and this is particularly damaging if it turns out to be a false positive.

The hammer and nail approach that results from relying on siloed IM solutions can loosely be defined as “proactive”, but not in a way that protects your business or keeps it operating and productive. Your organisation needs an alternative to the crude hammer approach, one that is proactive but also surgical in remediating the thorny issues of the “risky user”.

AppGate’s Software-Defined Perimeter (SDP) can integrate with an organisation’s existing IM solutions, as well as those you might implement in the future. AppGate SDP gives IT and security teams a more holistic view of the risks posed by users, by deploying several key capabilities:

• Push and pull data – SDP enables your organisation to shift from the blunt allow/block/log approach to suspicious users, to surgical precision based on risk score. The SDP can pull in data from an IM API source when the risky user requests access to a resource. Depending on the results of this query, different actions can be taken to reduce the attack surface, such as permanently or temporarily blocking them from certain areas within a network.
• Granular entitlements – Users flagged as risky can still access certain non-critical resources in order for them to continue to do their jobs. For example, access can be denied to five entitlements that could cause damage if the user account has been compromised, while still leaving 10 other entitlements open to the user so work can continue.
• Automate actions with confidence – Proactive and surgical precision makes it easier for an organisation’s IT/security teams to more broadly embrace automated responses to the anomalous behaviour of an organisation’s users. What holds back automation is that IT administrators and decision-makers hesitate in moving beyond the ‘allow/block/log’ approach to risky user management.

To learn how AppGate SDP can enhance your existing risk management security investment, click here.