Closing The Loop On Zero Trust - A SIEM & IAM Love Story
10 November, 2021, by Paul Kennedy
A Matter of Trust
Transforming an enterprise into a Zero-Trust model is not something that can happen overnight. It may require an alteration in security philosophy, a change in architecture, and/or a transformation of your identity model.
In a Zero Trust architecture, security does not simply end at the network perimeter. Users either side of the network perimeter are considered compromised.
At it’s simplest the Zero Trust identity model consists of:
- Identity: A definition of a user of services, whether that identity is human or not
- Devices: The devices (and things) that make up the network infrastructure or have access to it
- Constant Verification: Nobody and nothing is trusted implicitly - verification checks are carried out continuously.
But how can you reconcile the “Never trust, always verify” principle versus an excellent end user experience in order to engage new customers and retain existing customers?
How can you deliver a seamless Identity Management solution to ensure your workforce can perform their day-to-day functions and that they have the capability to provide services while also ensuring that your assets are protected?
How do you enhance your security posture but at the same time ensure you do not overwhelm the IT department with more monitoring, log aggregation, false positive exceptions, manual investigations, and ultimately analysis fatigue?
A combination of Identity and Access Management (IAM) and Security Information and Event Management (SIEM) solutions can help an enterprise in their journey towards a Zero Trust architecture by providing the transparency and visibility into the fundamentals of:
- What is happening?
- Who is doing it?
- When are they doing it?
- How are they doing it?
- Why are they doing it?
You Got It
IAM solutions are not just credential vaults that provide users with a mechanism to access services after authenticating themselves. They should be viewed tools for Identity Assurance with in-built and complimentary functionality. These can offer “quick wins” at the beginning of the Zero Trust journey or provide key milestones to work to in a comprehensive Identity roadmap. Those quick wins include:
- Multi-Factor Authentication
- Federated SSO
- Fine grained access controls
- Automatic provisioning & de-provisioning
- Lifecycle management
- Orphan and dormant account management
- Privileged Access Management
In addition, IAM solutions capture vast swathes of information such as IP Address, Geo Location, Device ID, Last Login/Logout times, history and activity.
This data is the key to ensuring enterprises are getting the additional benefits from their SIEM solution.
SIEM solutions can identify security events and alerts by collecting and analysing data from multiple sources and systems across the entire estate. They allow security analysts to see patterns and risks in the data, activity and events to ensure better threat investigation, detection, alerting and incident response and management. And they assist with reporting, auditing and meeting compliance requirements for governance.
Context is king - it is everything! IAM solutions can provide the rich contextual information that brings greater visibility to your SIEM solution and enables your analysts to quickly build a picture as to whether there is an actual threat.
The contextual data is what allows the analyst to ignore those exceptions that are benign or false positives and concentrate on the real/credible threats.
Conversely SIEM can provide IAM with user and resource access reports on identities and groups to build up a picture of who and what is being accessed and when. This is invaluable in the modification of existing access roles/rights or creation of new entitlements based on past and current user and resource activity.
By working in concert, both solutions become more than simple access, authentication, activity monitoring and alert tools.
It Ain’t What You Do, It’s The Way That You Do It
Even with all the event telemetry processed by your SIEM solution and the contextual data provided by IAM, exceptions will still be missed.
This is where user behaviour can be utilised. By analysing past and present user behaviours, a picture can be built from their activity patterns to create a baseline of what is normal .
An end-user may log in to a business critical system several times during the course of their working day but it’s when they start to exhibit uncharacteristic behaviours that deviate from their 'normal' patterns that exceptions should be raised or additional security measures should be applied to protect the business.
For example, a user attempting to move laterally through the network or copying or moving data that would normally be 'read only' could be considered abnormal behaviour worthy of investigation.
User and Entity Behaviour Analytics (UEBA) solutions with Machine/Deep Learning may already be configured in your environment as a standalone solution. However, modern SIEM platforms have this functionality embedded.
We’ve Only Just Begun
There are other security products and new technologies and tools that can be added to this relationship that will help in shoring up networks. These should not be siloed or viewed as competitor tools. Instead, they should be used in conjunction with the existing security framework to further augment the cyber-security tools at your disposal.
- Data Loss Prevention (DLP)
- Endpoint Detection & Response (EDR)
- Network Detection & Response (NDR)
- Cloud Access Security Broker (CASB)
- Passwordless Authentication
- Self-Sovereign Identity
Extended (Cross-layered) Detection and Response (XDR) is a powerful technology that takes a more holistic approach to threat detection and response. By automatically correlating, normalising, and storing all the telemetry data centrally, it can apply AI and sophisticated analysis to improve and quicken detection, investigations, and response times.
All good relationships should start with trust. In a Zero Trust Architecture, the concept of “Never trust, Always verify” is paramount. However, a fine grained IAM strategy working in tandem with a robust SIEM solution that also utilises behaviour analytics can aid in the protection of your assets and identify threats more rapidly.
Your IAM solution can supply the contextual data that can aid your SIEM to make more informed decisions based on risk profile and scoring. Conversely, your SIEM can identify possible gaps and dangerous overlap in your identity and role policies, alert on activity by dormant or orphan accounts, and relay that information to your IAM platform for proper lifecycle management. All the while, UEBA continues to process and analyse information to ensure that any compromised user or entity is identified quickly and the appropriate action taken.
Contact Us to learn more about how IAM working in collaboration with SIEM can aid you in your Zero Trust journey and help improve your security posture.