Kurt Johnson, Vice President of Strategy and Corporate Development, has posted a blog on Wired Innovations Insight titled, Data Breach? Just Tell It Like It Is.
In the post, Kurt discusses the negative PR implications of delayed breach disclosure and recommends improving your breach deterrence and detection capabilities by continuously monitoring identity and access activity for anomalous patterns and problems, such as orphan accounts, duties that need to be segregated, ill-conceived provisioning or just unusual activity.
Read the full post now.
Today Courion was named a leader in the 2014 Leadership Compass for Access Governance by KuppingerCole, a global analyst firm. Courion’s Access Assurance Suite was recognized for product features and Innovation, and as a very strong offering that covers virtually all standard requirements. In the management summary of the report, Courion is highlighted as the first to deliver advanced access intelligence capabilities.
Courion was also recognized as a leader in the Gartner Magic Quadrant for Identity Governance and Administration (IGA) and as a leader in the KuppingerCole Leadership Compass for Identity Provisioning earlier this year.
The US Department of Homeland Security recently published a Public Service Announcement, “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information”, touching on multiple (and all too familiar) insider threat scenarios.
This announcement is the proverbial icing on the “insider threat” cake baked a long time ago. Disgruntled employees, malfeasance, or general conduct unbecoming is nothing new. What is new is recognition that bad actors act with alarming efficiency to siphon off value from companies. These 21st century digital pickpockets of sensitive data and proprietary information are a new challenge with their blazing speed and seemingly invisible movement within their firms.
Of the ten recommendations offered to confront this issue, seven focus on Identity and Access Management (IAM) tasks. First on the list is: Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities.
Clearly a prudent recommendation. Yet, an elusive goal for even the most sophisticated IAM teams. How do you align regular reviews with a continuously evolving threat? How do you elevate existing risk management operating procedures without impeding your normal course of business? With internal personnel moves occurring by the hour, how can you possibly ensure that the right people have the right access to the right information and are doing the right things with it?
The way forward must be a combination of strong IAM fundamentals coupled with innovative capability found in identity and access intelligence solutions such as Courion’s Access InsightTM. Access Insight helps firms redefine access management practices to take IAM beyond the traditional and into the exceptional. For example, Harvard Pilgrim Health Care uses Access Insight to document exactly who is accessing PHI in order to streamline and enhance their audit readiness to federal HIPPA regulations.
Tasks previously impractical to pursue are now within reach when you leverage Access Insight’s big data framework. This actionable intelligence enables you to close the access risk process gap inherent in traditional IAM models. For example, Universal American uses Access Insight to analyze and compare current user access behavior to historical norms in near real-time to spot unusual behavior and trigger actionable alerts.
Allow us to speak with you about our proven approaches to reduce access risk. Ask about how our Access Risk Quick Scan offer can help you uncover your organization’s access risk – in just hours. Check us out and let us help you take your IAM beyond the traditional to the truly exceptional.
We all have skeletons in our IT closets that we'd rather forget about. In nearly every organization’s network, there is a legacy application or old piece of infrastructure that is bound to reach the end of its useful life at some point, yet plans for removal of obsolete technology typically do not exist. What we often fail to consider, however, is the fate of our service accounts associated with these aging applications and infrastructure. Unmanaged or unused service accounts represent a qualified, and in the case of Target Corporation, hugely quantifiable, risk to any organization. Continuous intelligence-based pattern recognition and monitoring using an identity and access analytics product like Courion Access Insight is the easiest and most effective way to mitigate such risk.
Service accounts are accounts on a system that are intended to be used by software in order to gain access to and interact with other software. Correspondingly, It is common practice that passwords for such service accounts are not frequently changed so that the loss of this interconnectivity can be avoided. These accounts are also frequently highly privileged, allowing a large number of activities to be integrated between systems.
How is this a risk if the accounts aren't meant for humans?
The Target breach was no more complicated than the hacks often seen on the news when someone has altered the message displayed on a road construction sign: an attacker finds or knows of a default service account and password that exists on the system and exploits it to gain access.
The Target breach was only slightly more complicated: attackers were aware of a service account laid down automatically by the installation of BMC software. The attackers were able to leverage that service account to elevate the privileges of a new account they created for themselves on the network, and the rest is history. The attack cost Target an estimated $2.2 billion, and highlighted that some common IT practices may not be "best" practices at all.
How can this threat be managed? How does one even identify a service account?
When the service accounts have been purposefully created, identification of these accounts can be straightforward. Naming conventions within your IAM system can be applied that mark an account as a service account. However, too often, there's no such obvious clue. This is where the pattern and trend recognition provided by an identity and access intelligence solution like Access Insight becomes key. The intelligence engine acts like a detective. It uses the circumstantial evidence about an account's activity and history to determine its purpose. The engine analyzes things like password reset history, login history, privilege patterns, ownership, and more to determine accounts that may be service accounts and which may represent a high risk of compromise.
We have quarterly compliance reviews, surely that will catch the risks, right?
Modern access governance is critical, but there are some gaps that modern attackers have learned to exploit. The biggest gap is speed. The typical organization will perform compliance reviews quarterly. These compliance reviews are great for looking back in time and reviewing what has happened, but they're not timely enough to catch an attacker red-handed.
As an analogy, consider the robbery of a bank vault. If it is discovered three months later, the knowledge of what happened doesn't really help much. But if an alarm sounds right away and summons the police, this will help. Similarly, Access Insight gives you the tools to sound that alarm immediately, so you can understand what is happening within your network so you can take steps to remediate it at that moment, not in three months when the hacker is long gone with your data.
The next biggest gap is complexity. Large organizations can suffer from data overload. A compliance review may or may not catch every single service account risk in the organization which may be hidden somewhere amongst the thousands of pages of mundane, normal accounts. They're easy to overlook, and hard to find after the fact. Access Insight uses built-in algorithms combined with risk weighting you tailor to your network. This provides you with a color-coded, prioritized view of your organization's risk.
How fast can the problem be tackled?
To assist with this problem, Courion now offers a complimentary quick scan evaluation of access risk which leverages Access Insight, to help organizations gauge whether they have an ungoverned or unmanaged service account problem. This quick scan can often be completed in a single day and provides a prioritized view of where remedial action is needed most. Of course, fully deploying Access Insight on your network, regardless of what IAM suite you have installed, will give you the visibility, or insight, you really need through continuous monitoring to find and fix access-related risk, now and on an ongoing basis, not just at a point in time.
As the leading provider of IAM solutions for healthcare organizations, Courion’s connector framework is designed to interface with a wide variety of IT systems, including popular healthcare applications from vendors such as Epic.
Healthcare institutions continue to move rapidly to adopt a range of technology solutions for improving patient outcomes and reducing costs by automating clinical information and processes.
In order to effectively address the security concerns posed by these applications, healthcare organizations turn to identity and access management solutions to ensure that users, such as physicians or billing clerks, are provided timely and efficient access to information and that their access rights are consistent with their roles and enterprise security policy. These IAM solutions require the use of connectors to various healthcare-specific and general use applications in order to create, manage and terminate user access rights in accordance with policies and regulations.
Courion recently published a technology brief for healthcare organizations interested in implementing and managing user identity profiles for Epic and other systems throughout their organization.
To download a copy of this paper, click here.
In a Tuesday August 26th press release and follow-on blog post, we shared a few details regarding how the latest version of the Access Assurance Suite leverages intelligence at the initial point of provisioning. This new capability ensures that you don’t inadvertently provide users with access that may lead to a governance violation. It complements the IAM suite’s existing use of intelligence to monitor users’ access and to automatically alert you or take action when a user’s access falls out of compliance. But wait, there’s even more in 8.4!
The latest version of the Access Assurance Suite also enables you to easily configure your identity and access management system to reflect how you intuitively think about your business. Now your users can search for access, approve requests, and certify access in your own familiar everyday language and with your own natural organizational structure. We call this Access Your Way. This new access model can be used along with our suite’s existing tagging capabilities, improving your ability to categorize access for fast, intuitive user searches.
We’ve also leveraged new user interface technology to give the product a fresh new look and to extend support to a variety of additional browsers and devices. You can now use the Access Assurance Suite from an expanded range of Google Chrome, Internet Explorer and Mozilla Firefox browsers across PCs, tablets, and mobile phones. The Access Assurance Suite’s responsive new user interface automatically scales to different browser and device sizes. There’s no longer a need to wait until you get to your desk to reset your password. Just grab your Apple or Android cell phone or tablet and go.
Of course, intelligent provisioning, Access Your Way, and a great user experience are only part of what’s new. The 8.4 release includes dozens of other new capabilities ranging from expanded user dashboards to increased control over delegation to more sophisticated encryption and hashing algorithms to simplified self-service capabilities.
To learn more click here or call us at 866.COURION.
Recently we announced the latest version of the Access Assurance Suite. The 8.4 revision brings Courion’s market-leading intelligence capabilities to where it all begins, provisioning. Now, business policy validation is fully baked into the access definition and user provisioning process in real-time. As a result, inappropriate access assignments can now be flagged from the start and prevented.
Here’s how it works: when an access request is submitted, the embedded intelligence engine alerts the user with a list of defined business policy violations.
For example, an alert could be triggered automatically if a user requested access to both create purchase orders and approve orders, a Segregation of Duty (SoD) business policy violation.
You are then able to remedy the violation or request a policy exemption. All of your approvers can easily view the history of the request along with any follow-on exemption requests, providing a more intuitive approval process and eliminating bottlenecks.
This is a great complement to the suite’s existing continuous monitoring capabilities, which detect business policy violations whenever they occur, enabling provisioning remediation without the need for human intervention and further automating the governance process. Now your organization can both start compliant and stay compliant on an ongoing basis. A nice one-two punch!
Watch for future posts about additional new features in 8.4.
On August 20th, UPS Stores announced that they hired a private security company to perform a review of their Point of Sale (PoS) systems after receiving Alert (TA14-212A) Backoff Point-of-Sale Malware about a new form of PoS attack and, surprise, they found out that they had a problem. They released some information about which stores and the type of information was exposed, but little else. Freedom of Information Act requests have already been filed.
What followed was the predictable media buzz, where it was postulated that this was yet-another PoS breech similar to those that affected Neiman Marcus and Target. While there is some truth is this, there are interesting bits that make this case very different.
This was a brute force password attack against remote desktop applications (the list named in the Alert includes Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn).
Because UPS is a franchise, the PoS systems are not centrally managed, so each store was individually hacked. This might explain why the actual impact was low (1% of the stores effected) and why UPS is not completely certain what was taken.
What’s the same?
European Union residents, armed with EMV protected cards, may feel they are immune to these problems. If this were the case, then why are we seeing a dramatic rise in the use of card scrapers throughout Europe? Perhaps that’s a topic for another time.
What can you do to deter a breach that takes advantage of vulnerabilities in your identity and access equation? Begin by practicing good hygiene by following the identity and access controls recommended in Alert (TA14-212A), the 2014 Verizon Data Breach Report and the SANs Security Controls Version 5 as outlined by my colleague Brian Milas in this blog post.
What can you to detect a breach as soon as possible? Brian points out in the same post that by using a intelligent IAM solution, you will be better equipped to minimize the type of access risk that leads to a breach by provisioning users effectively from the start, but also will be better able to detect access risk issues as they happen and remediate them on an ongoing basis by leveraging continuous monitoring capabilities.
The point is, regardless of the exact details and mechanisms employed in an attack, you can and should do what is under your control to minimize risk and equip yourself for early detection. Identity and access intelligence is a good place to start.
Purdue Pharma L.P., a privately held pharmaceutical company based in Stamford Connecticut, has selected the Courion Access Assurance Suite™ after an evaluation of several competing offerings. The pharmaceutical company will leverage the intelligence capabilities of access assurance suite to maintain regulatory compliance and mitigate risk.
Purdue Pharma, together with its network of independent associated US companies, has administrative, research and manufacturing facilities in Connecticut, New Jersey and North Carolina.
With implementation of the intelligence capabilities within the Courion IAM Suite, Purdue will be able to leverage this product to automate routine IAM tasks and maintain compliance with US Food & Drug Administration requirements.
Now that Cloud Identity Summit is over, I’m taking some time to reflect on the Intelligence workshop. In the workshop we looked at some of the IAM approaches used today and some of their limitations. Given that the bad guys are motivated and creative, we need to look to new techniques to detect and deter them. Applying analytics and Intelligence fundamentally changes the game from the traditional approaches.
Reports on data breaches illustrate the large contribution that hackers make to data breaches as compared to other methods such as lost laptop or lost media. As an example, check out:
– Ponemon’s 2014 report on the cost of data breaches, which states, “In most countries, the primary root cause of the data breach is a malicious insider or criminal attack.”
– Verizon Data Breach Investigations Report, which states,“ . . . 92% of the 100,000 incidents we’ve analyzed from the last ten years can be described in just nine basic patterns.”
– New York State Attorney General Data Breach Report, “Hacking attacks accounted for over 40 percent of data security breaches, between 2006 and 2013.”
So just how prevalent are data breaches? Consider these statistics:
These numbers come from the aforementioned New York State Attorney General Report which analyzed data breaches:
– 20M: the population of New York City in July 2013
– 7.4M: the number of residents breached in 2013, that’s about 85% of the population
– 900: the number of breaches in 2013, about 2.5 per day or 8,000 records/breach. BTW, the number has tripled since 2006
– $1.3B: the cost to the public and private citizens of these breaches
So what’s missing from today’s techniques? We see two (2) major challenges.
Deterrence: What can you do NOW in IAM to reduce the likelihood of a breach? Clean house and reduce the attack surface: get rid of abandoned accounts, make sure orphan accounts are properly managed, eliminate access that is not needed, keep Superuser administrator accounts to a minimum, manage to least privilege. For further confirmation of these suggestions, see the 2014 Verizon DBIR recommendations and the SANS 5 Security Control recommendations:
The 2014 Verizon Data Breach Incident Report recommends 4 identity and access management tactics to address insider and privilege misuse:
– Know your data and who has access to it
– Review user accounts
– Watch for data exfiltration
– Publish audit results
And the SANS Institute, a leader in computer security training, offers version 5 of the organization’s Top 20 Critical Security Controls, which recommend several identity management processes:
– Controlled Use of Administrative Privileges
– Maintenance, Monitoring, and Analysis of Audit Logs
– Account Monitoring and Control
– Data Protection
Monitoring and Detection: Cleaning your house (reducing the attack surface) is good, but you must detect when a “spill occurs”. By monitoring and taking actions on the anomalies, you’re able to start reducing the window available for exploit, so you need to be keeping constant watch with identity and access intelligence or analytics.
To get the big picture of access across everything (from person to data) you’ll need to understand and analyze relationships between different objects and systems . . . but this quickly becomes millions and billions of relationships in the typical organization. As Mark Diodati of Ping Identity talked about in his “Modern Identity” presentation, the difficult of managing identity and access increases with distance, which you can think of as “remoteness.”
The second challenge has to do with time, more specifically reaction time. Our ability to detect and react to a breach or vulnerability is moving slower than the adversary. Hence we’re have little (or no) time to act . . . we’re constantly “on our heels”.
Let’s look at a typical lifecycle with IAM. The frequency between “Assign” and “Review” may be months, quarters, or even longer:
Assign Access >> Time passes >> Things Change >> Review Access & Remediate
How do we increase the frequency of our detect/react cycle to better combat the adversary? By improving our capabilities around:
We need to continually analyze and understand the complexity and monitor. “Monitor” can be done on the order of hours or minutes . . . allowing the “Review” steps to happen much more quickly.
Assign Access >> Monitor as Time Passes & Things Change >> Review Access & Remediate
The Insider and Privilege Misuse section of the Verizon DBIR summarizes the discovery timeline (figure 38). Detection within days (34%) is good, but many took months (11%) or years (2%) to discover.
By applying Intelligence and Analytics, we can continually update and understand complexity, and then detect and act on things that we have been proactively looking for . . . increasing our speed and frequency. In addition, with all of the complex relationships analyzed and at hand, we’re free to slice, dice, drill down and apply forensics to identify the next/upcoming set of things to monitor . . . adding those into the category of complex items that we can:
Traditional approaches are an important part of providing security, speed, and value to the business . . . but we can do better. As CIOs and CISOs, we are in an arms race with the bad guys, and in some ways it’s an arms race to keep up with the complexity of the business’s environment. Through the application of Analytics and Intelligence along with other approaches, we can understand and manage complexity and act on it more quickly, mitigating breaches quickly, or even better reducing risk and avoiding some them altogether.