Traditional security controls, now too manual and slow to keep pace with digital business processes, customer experiences and workflows are being relegated to the compliance toolbox.
They will satisfy regulators, auditors, security assessors and stakeholders who view security through the lens of established frameworks designed to align business and IT practices, such as ISO 27001, NIST 800-53, and so on.
While these frameworks are necessary, they are incapable of keeping pace with a threat landscape that keeps evolving. Adversaries are easily able to evade traditional security measures, using massive compute resources and data science, and by sharing resources and information in criminal forums to discover new weaknesses.
The primary drawback the current security model is organizations are forced to manually tweak their controls in response to new threats. This process can take hours or days.
Based on the concepts of digital transformation, an ‘unconventional’ and data-driven approach is needed to thwart new and unforeseen threats. This model has emerged from intensive research into threat actor tactics using multiple sources of security intelligence and sector-based information sharing and analysis centers (ISACs). Some of the most effective of these new controls are model-driven.
Moving to Model-driven Security
This approach uses data science techniques, including big data, machine learning, behavioral analytics and predictive analytics to automate front line controls such as authentication, data leak prevention, etc. It places more emphasis on addressing risk than on meeting compliance.
Model-driven security continuously gathers data from multiple sources including security tools, HR systems , Identity and Access Management, etc. to create behavioral models quickly and effectively. The models are used to detect anomalies by users or entities (machines) from their baseline activity and/or access patterns, assign risk scores to them and automatically invoke security controls when a threat is predicted.
As organizations refine model-driven controls over time, their cybersecurity improves, thereby making it harder for threat actors to compromise systems.
It represents a departure from legacy architectures, and has nothing to do with creating an authentication/sign-on; an access provisioning; or an access review/re-certification system.
Eliminating Passwords is Just the Beginning
One of the first uses of model-driven security has been in access control, where traditional authentication methods and passwords are failing to do their jobs. To stay ahead of hackers’ assault on a sprawling threat plane that spans the cloud, mobile as well as legacy networks, organization have turned to continuous behavioral-based authentication.
Behavioral authentication uses risk-based analytics to improve security and enhance the user experience by eliminating passwords. Through constant updates, this model makes real-time decisions about the reliability of a user’s identity and the level of risk associated with a session or requested action.
Activity that deviates from a user’s baseline normal behavior will increase a risk score. If risk exceeds pre-defined thresholds the requested action may be denied or the user may be challenged for another form of authentication before being allowed to proceed.
Risk-based authentication is one example of how model-driven security can be used to detect and prevent attacks that are by-and-large invisible to conventional controls, like insider threats and inappropriate use of stolen credentials.
Deriving Security Context from Data
Unconventional controls used in model-driven security rely on collecting and analyzing a continuous stream of risk intelligence from a wide range of data sources, such as:
- Human resources systems
- Identity and access management systems
- Digital Leak Prevention monitoring
- Privileged access management
- Endpoint activity
- System logs
By drilling into the above data, model-driven security architectures can create context around activities that might appear benign when viewed in isolation, but are actually malicious.
For example, if an employee was denied a raise, demoted or had a bad review, is accessing sensitive systems/data they normally don’t, this would represent a high risk anomaly in behavior that requires investigation.
The objective, as illustrated above, with model-driven security is to achieve a global view of access, entitlements and activity across all systems in an organization to derive the “context” required to accurately assess risk. This includes the ability to rate the risk of behaviors by users, and also entities including applications, systems, devices, etc.
Moving away from conventional security controls, requires new skills and investments in data science. The payback of model-driven security, however, is tangible. Breaches like the recent Tesla insider sabotage incident are a stark reminder of risks and business costs of not doing so.