If these large organizations are incapable of keeping unwanted people off their systems, then who is?
The answer unfortunately is: not many. So we must assume our systems are compromised. Compromised is the new normal.
This has implications for our security efforts:
- We need to increase our detection capabilities
- We need to be able to respond quickly, preferably in an automated fashion, when we detect an intrusion
Increasing Intrusion Detection Capabilities with Security Analytics
There are usually many small signs that something fishy is going on when an intruder has compromised your network.
For instance, our log files might show that someone is logging in from an IP address in China instead of San Francisco. While that may be normal for our CEO, it’s very unlikely for her secretary.
Another example is when someone tries to access a system it normally doesn’t. This may be an indication of an intruder trying to escalate his privileges.
RSA recently released a report that predicts that big data will play a big role in Security Incident Event Monitoring (SIEM), network monitoring, Identity and Access Management (IAM), fraud detection, and Governance, Risk, and Compliance (GRC) systems.
Quick, Automated, Responses to Intrusion Detection with Risk-Adaptive Access Control
The information we extract from our big security data can be used to drive decisions. The next step is to automate those decisions and actions based on them.
Large organizations, with hundreds or even thousands of applications, have a large attack surface. They are also interesting targets and therefore must assume they are under attack multiple times a day.
Anything that is not automated is not going to scale.
This dynamic access control based on risk information is what NIST calls Risk-Adaptive Access Control (RAdAC).
As I’ve shown before, RAdAC can be implemented using eXtensible Access Control Markup Language (XACML).
What do you think?
Is your organization ready to look at security analytics? What do you see as the major road blocks for implementing RAdAC?