Steve Woo Marketing and Strategic Business Development Securify

Flip through the pages of any IT or security trade journal and before long, you'll find discussion of the need for security practitioners to map security to the business. The paradigm shift from ‘protecting information assets’ (i.e. security) to ‘managing IT risk (as it relates to the business) was in great part triggered by the Sarbanes Oxley Act (SOX), which set the precedent for making executive management accountable for the integrity of IT systems. Once the regulatory floodgates were opened, a slew of other regulations followed suit. Not to be left out, the private sector trumped SOX with the introduction of the PCI Data Security Standard -- arguably the most well defined and rigorous set of guidelines as well as the biggest piece of many corporate security budgets (and headaches) today.

A quick scan through recent headlines, however, reveals that “compliant” and “secure” are still mutually exclusive. What good is being PCI-compliant, or having a HackerSafe seal on your website if you get breached the next day? If you buy into the notion that the role of security is to enable business execution in as safe a manner as possible, then the operational element in risk management warrants some scrutiny – as more often than not it is chinks or glitches that occur as part of daily operations that if left unaddressed, can lead to bigger problems down the road. It might not be trendy to force attention back to bits and bytes, but a slight pendulum swing back in the technical direction may not be such a bad thing.

Both security and network operations play a key role in operational risk management, defined by Wikipedia as “the oversight of many forms of day-to-day operational risk including the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” A well defined subcategory of risk management, operational risk management lends itself well to IT. While you can’t control external events, you can manage people, systems, and process and do so in a way that passes audit muster.

Identity-based monitoring
Knowing that IT systems are both dynamic and complex, the only way to manage network activity is to have some understanding of what is actually happening on the network (and preferably not just ‘after the fact). If you’re trying to gain visibility into the day-to-day nature of IT systems, you need a system in place that can track and report on overall network activity in order to benchmark what “normal” behavior looks like – who is doing what on the network, where and when. Especially since, as both internal and external auditors have already covered many bases of risk, they are now tightening the screws so to speak and demanding more proof of the ‘who, what where’ during audits and audit preparation.

Identity-based monitoring – which could be described as fusion of Identity/Access Management (IAM) and Network Behavioral Analysis (NBA) -- is one of the best ways to achieve this kind of real-time visibility. Specifically, identity-based monitoring combines real-time data from directories such as LDAP and Microsoft Active Directory with data captured from network devices via either deep packet inspection or via flow data like Cisco NetFlow and Juniper JFlow). Binding each user’s identity to network monitoring in real-time is a key innovation because it automates the real-time processes of mapping people (users and user groups) to business systems -- something that has traditionally been done through manual, historical querying of log data, or after the fact. In addition, the real-time context provided by identity-based monitoring can also be used to create controls that help pinpoint certain types of network activity and even automatically stop certain behaviors inside the network, when required. The ability to see “who” as well as “what” “where” and “when” adds a whole new level of insight that enables IT managers to make better real-time decisions about how to manage operational risk.

While widely deployed in the government sector, when it comes to private sector operational risk management, identity-based monitoring is one of IT’s best kept secrets. . In order to see how it supports operational risk management, let’s take a deeper dive into how it mitigates the risk associated with three common three major operational risk vectors -- managing user access to network and system resources, managing infrastructure change, and protecting against insider threats.

User access verification
Network monitoring usually addresses three layers of access: network access, including which networks and segments and/or resources can be accessed by other networks and segments; system access, or which assets, services or applications can be accessed by which users or groups of users based on title, department, or role; and transaction access, occurring within a system or application, covering which specific transactions, commands or data can be accessed by different users and groups/roles.

While there are application-level solutions to cover transaction access, the highly dynamic nature of ever changing and complex networks means there will be recurring gaps in network and system access that reflect an underlying lack of broad visibility and control. Typical gaps at the network access level include unauthorized network paths and physical and/or routed connections that shouldn't exist at all. Obviously these connections bypass existing controls and are likely to be highly insecure.

At the system-access level, identity-based monitoring can quickly identify and mitigate services or types of users that shouldn't be seen at all on particular network segments. Additionally, when integrated with network access control (NAC) solutions, ID-based monitoring delivers network visibility both at the core and edge of the enterprise network. This enables organizations to continuously assess hosts responsible for disrupting network performance, and quickly block offenders before any impact on network availability.

Managing infrastructure change
Whether consolidating call centers, combining disparate networks after a merger or acquisition, or transitioning operations to external partners or service providers, infrastructure change is difficult and costly. Disruption or damage can occur due partly to a lack of visibility into who is accessing critical systems, what these users are doing, and where on the network they are doing it.

Identity-based monitoring across systems can help discover "who, what and where" during the planning phase of change projects. A monitoring system with a good discovery capability provides a single view that maps network traffic to user groups and their associated activity on critical business systems. A centralized view -- combined with the ability to update that view in real time – can significantly reduce the level of disruption that often accompanies the deployment of new applications, merging and divesting and network segmentation.

When it comes to discovering the source of problems, “who” is always at the head of the list of possible culprits. While clearly essential to user access, the business value that ID-based monitoring can provide is particularly evident when it comes to one of the most important and hard-to-manage risk vectors – mitigating the potential for harm (either ignorantly or maliciously) caused by trusted insiders.

Insider threat protection
Insecure and unauthorized practices by insiders or trusted third parties can create significant risk to critical business systems. They also make for great headlines, with the recent $7 billion Société Générale scandal being the latest publicized case in point. What makes insider threat issues so unnerving is that you expect the bad guys to do bad things, not your own guys. While the focus of information security remains on 'keeping the bad guys out' increasing attention to the damage is being given to the damage that can be done by insiders. The challenge of protecting against insider threat issues is that, companies just don’t know where to start because of the inherent paradox -- it means you don’t really trust your trusted users. If that’s the case, how do you implement controls in a way that isn’t completely intrusive or prohibits them from carryon out their job? The current mechanism of protecting against insider risk is primarily based on the ability to create a clear audit trail, but this is after the fact, after the damage is done and the headlines written.

Impossible to do in real time?
For all the concern, security monitoring according to the best practice standards recommended by CERT and others is nearly impossible to do in real time with traditional security tools. Using log data, even when enhanced with security information management (SIM) tools to get this level of information can drain valuable IT resources and still fall short of delivering real-time operational visibility and control. Intrusion detection and prevention (IDS/IPS) is still primarily focused on the perimeter. And network access and control (NAC) solutions are mostly used for device health checks, not post-connect monitoring.

Identity-based monitoring provides real-time monitoring of high-risk users, and provides instant alerts on misuse, everything from a new employee ignorantly downloading illegal files or a malicious corporate spy bypassing existing controls to gain access to critical business systems and then falsifying logs to erase the audit trail. It also provides additional network context and fills gaps in network access control (NAC) and Data Leakage Prevention (DLP) deployments by verifying all relevant traffic, even if masked.

No Silver Bullets…..
The dynamic and complex nature of IT systems means that no solution by itself will keep an organization’s systems secure. It also means that security practitioners can't afford to think only in terms of technology. While identity-based monitoring can add significant value to a defense-in depth security strategy, it has to be leveraged in conjunction with people and process. That said, there’s a lot to know to successfully manage IT risk, and it's easy to get overwhelmed. Risk managers have to find their way through an extremely hype-driven market, with too many vendors selling too many products that do too many of the same things. Probably one of the most difficult aspects of managing security may actually be staying current on innovation and understanding how to best augment legacy systems.

Unfortunately, at the end of the day, many of yesterday’s “comprehensive solutions” turn out to be glorified point solutions that address specific, but related, internal and external risks. As a result, additional investment is required to integrate, automate, or supplement existing controls, which in turn creates new gaps or blind spots that introduce risk back into the equation. While monitoring can tell you who is doing what, when and where on the network, it is the risk manager who must articulate why this matters and which approach adds the most value to the organization.