October 19, 2017
What is a metric?
The simple outline of Security metrics can be summed up into a few common questions; What, Why, How, When, Where.
What? – Determine specifically what data you will gather.
Why? –Why are you collecting this data and what will be done with it?
How? – How will the data be collected? Automation should be used here.
When? – How often will each piece of data be collected and reviewed?
Where? – This data should be stored electronically in a central location for complete analysis.
In addition to these questions other considerations may be needed for example:
- Compliance and Data Integrity – What type of data is allowed for use and does it have geo residency requirements?
- Understanding – How will the gathered information will be analyzed and interpreted
Traditional Thoughts (Firewall) vs new world (Identity)?
In traditional IT and systems, security revolved around security perimeter security devices. There was once a time when a firewall needed to be justified (financially or otherwise). As is common with new best practices, companies carefully explored cost vs value for firewall security. As firewalls have time and again proved their worth, their security value is easily seen. Today, a firewall and other perimeter security is standard practice.
In a Microsoft datasheet the new security landscape laid out. “Traditional security solutions used to be enough to protect your business. But that was before the attack landscape grew more sophisticated and the transition to mobility and the cloud made employees interactions with other users, devices, apps, and data more complex. To truly protect your business now, you need to take a more holistic and innovative approach to security, one that can protect, detect, and respond to threats of all kinds on-premises as well as in the cloud.”
In today’s threat landscape, identity management, is yesterday’s firewall. With multiple attack vectors available, it is important to understand the identity of those access data and systems. At a most basic level, identity management involves defining what users and/or devices and circumstances can access and interact within the IT systems framework. Allowing just enough access only when needed, is an important step forward for security measures.
What to expect from an identity management system?
With various options for identity management, there are a few key factors to consider. Most, if not all systems provide logs that allow for review and auditing. There are immense amounts of data that must be consistently and constantly reviewed. Microsoft Log Analytics and OMS are example of tools that can take the data and filter it into easily viewed dashboards. The tools will collect logs centrally. Not only can they review the data, but with Machine Learning, the tools can understand the data enabling quick action to any identified threat.
Machine Learning to Identify Anomalies and Monitor Patterns:
Machine learning (ML) is the new advancement wave of security. Machine Learning models in security primarily focus on:
- Identifying normal patterns
- Recognizing deviations from those patterns
- Evaluating the deviations to determine if they represent malicious activities and subsequently learn from the outcome
Patterns can be in any number of scenarios including; network activity, user/client behavior and browsing, and user input.
When couples with machine automation, ML can respond to potential threats in short order, without any human intervention. As the logic continues to grow and learn over time, the system can react and respond to new threats without signature updates or human action.
Along with external threats, identity management can protect from the inside as well. According to a recent Microsoft study, “in more than 63 percent of data breaches, attackers gain corporate network access through weak, default, or stolen user credentials.” Identity management security can be used in conjunction with perimeter systems for external attacks, but can also focus on internal systems for potential IP breaches and disclosures via internal users.
In today’s landscape, security threats are ever-changing and the security protection measures need to be equally as smart and agile.
How to protect against corruption?
Going a step beyond security measures, it is important to know how you will move forward should data be compromised, corrupted, or deleted. A solid disaster recovery plan is essential to limit downtime and loss should a disaster occur.
With current systems operating more and more in real-time, traditional nightly backups are quickly becoming inefficient for the recovery of data. While they may meet many retention requirements, nightly backups may be unable to quickly bring a system back online after an attack or corruption.
A focus on business continuity should be taken. Real time replication and the ability to quickly rever to a previous state is essential.
Microsoft Azure Site Recovery tool provides this real-time replication and ability to recover to a point 72 hours in the rears. This allow for a system to be recovered into an operational state prior to the attack or corruption in a matter of minutes.
How to move forward:
It is essential, in this current state of rapidly evolving security threats, to match the threats head on. This requires planning for internal and external threats, employing the newest identity management and ML technologies to allow for quick automated action, and preparation for a disaster should it occur.
To learn how to employ an identity management security system or plan for any disaster, contact Attunix for a free cloud assessment.