SESSION ID: IDY-R01 Scaling IAM Rules with ML-Based Risk Analytics? You Don’t Need to Be a Ninja Alex Zaslavsky Sudarsan Kannan Senior Principal Data Scientist RSA Consultant Manager RSA #RSAC #RSAC “No one does Security well” 2 #RSAC “No one does Identity-Risk Analytics Security well” 3 #RSAC Too many parameters… 4 We all want to grow at different paces! 5 #RSAC Your access control policies…Well Black list/whitelist AD attribute based Contextual/Dy namic rules it’s Complicated 6 #RSAC Rules are great for protecting your Identities! Rules Engine  Well defined requirements  Need to meet strict industry regulations or stronger compliance  Raw data (facts)  Ex: If (IP address = 192.168.x.x) Then do Y #RSAC Identity Risk Analytics  Complex correlation of multiple inputs to make identity decisions  Gives insights/tells a story/provides visibility on user’s access patterns  Managing rules becomes more complex as more facts (raw data) leading to policy ineffectiveness  Ex: If (IP_Type = Office) Then do Y. Office classification is done by the analytics engine 7 Risk Analytics can complement Rules in protecting those identities Use Risk Analytics for the UNKNOWN and rules for the KNOWN 8 #RSAC What may be your resistance in adopting Identity Risk Analytics? #RSAC Does implementing ML-Analytics driven decisions suit for your identity needs? Are you waiting to make a good security decision until some compelling event happens? Does your IAM team have the people and process layers to benefit from the decisions made by ML-Analytics? 9 #RSAC Master the invisibility – Your mental model Build your mental model to get past initial resistance Establish your business and security OBJECTIVES • Improve end-user experience • Measure access policy effectiveness • Manage security attacks Take control of your state (The PRESENT) • Understand your access policies and business drivers • Where does your data reside? • Who are your users? 11 #RSAC Understand your people, process & technology CONSTRAINTS • Skill sets / expertise • Cost • Time required to support and achieve your business and security goals #RSAC What is your compelling event? Type A - DNA Typical Characteristics • User Experience Productivity • • • • Eliminate Passwords 12 Experienced less impactful breaches Lesser dependency on end-user data that needs to be protected Basic compliance More focused on reducing cost Single IT team managing all security use-cases #RSAC What is your compelling event? Type B - DNA Typical Characteristics Mitigate Attacks Security Policies Regulations 13 • Heavily regulated and compliance is in their DNA • Lot of business impacting critical data (ex: financial) • Constantly under attacks • Dedicated security teams. • CRO/CISO have bigger role Define identity specific use-cases that needs to be addressed through dynamic rules Detection Techniques Use cases – A sample 1 2 3 Initial Access Privilege Escalation Lateral Movement • • • • • Looking at peer admin activity • Application access rate • Correlate ground speed identity • Understand application access rate • Device access rate Authentication velocity Ground speed Time of access Looking for type of device and device statistics 14 #RSAC #RSAC Bring your ML vision to life and mature it • • • • • • • • Unified decisions across apps More apps and rules Sharing of intelligence Continuous risk assessment of access patters 1 • • • • Build / Vendor partnership 3 • • • • • 2 Use Contextual policies Continue to add rules Analyze the data/insights Measure policy effectiveness 4 Data explosion Cloud transformation Third party identities Technology shift 15 Development expertise Data Science skills Security team dynamics Timeline objectives Financial backing #RSAC Should I be thinking about UEBA? 1 Understand the commonalities 2  How do your IAM and security teams interact?  How much of correlation and depth do you need?  Looking for broader insights and investigation power?  How much of manpower do you need to expend?  Do you need continuous improvement of IAM policies? 3 Where can you complement? START WITH YOUR PROBLEM DEFINE EXPECTED OUTCOME MAP OUTCOME TO PROBLEM • Helps make decisions at the moment of access due to being inline to user flow • Focusses more on access control objectives Learns near real time due to real time feedback • Helps you make quicker IAM policy decisions/changes 16