correlation: why it's important to your security infrastructure

Do You Need Correlation?Breaking Down Correlation and What it Means to Identity Management

“Do you need correlation?”

It’s a question we keep discussing with prospects and customers…

And it’s clear there’s a lack of understanding around correlation and its place in an identity management platform.

What is correlation?

When is it needed?

How does it support an identity management platform and security infrastructure?

There are three kinds of correlation:• Identity Correlation• Event Correlation• Behavioral Correlation

Let’s take a closer look at all three…

Identity Correlation

Identity Correlation – What is it?Identity Correlation reconciles and validates proper ownership of user account IDs throughout an organization & links ownership of those user account IDs to individuals using a unique identifier.

In other words, Identity Correlation provides context to user account IDs.

This is Jane Smith.

She works as a Marketing Manager for XYZ Corp.

To XYZ Corp’s security technology systems, Jane exists as JSmith.

Identity Correlation – How it Works

Identity Correlation links JSmith to the access Jane needs to do her job.

As a marketing manager, Jane needs access to Google Apps, Salesforce.com and Hubspot.

She does not need access to JIRA, used by the engineering team.

Identity Correlation – How it Works

JSmith

Identity Correlation can show data discrepancies, like if Jane suddenly had access to JIRA.

If that happened, Identity Correlation would show XYZ Corp’s IT staff that they need to remove that access for her.

Identity Correlation – How it Works

Identity management platforms should provide identity correlation as a core function of the product.

Identity Correlation & Identity Management

Event Correlation

Event correlation looks at events happening in a window of time.

It is the process of examining events, interactions of events, and then determining which events and interactions are important.

Event Correlation – What is it?

Event correlation is handled by a Security Information and Event Management (SIEM) tool.

When properly configured, a SIEM tool will determine event correlations and raise alerts when needed.

Event Correlation – What is it?

Event Correlation – How it WorksJane logs into her computer in Barcelona…

…but then swipes her employee badge in Jakarta…

That shouldn’t be possible! A SIEM tool would alert her IT staff so proper containment steps could be

taken.

A SIEM tool directly handles event correlation, but receives event logs from across the organization.

An identity management platform is a provider and producer of activity logs for a SIEM tool. It also supports alerts from SIEM tools to take action on risks.

Event Correlation & Identity Management

Behavioral Correlation

Behavioral correlation is a relatively new term in IT security because the industry has struggled so much with identity and event correlation.

Behavioral Correlation – What is it?

Identity Correlation = deals with a current state of accounts

Event Correlation = examines events occurring within a window of time

Behavioral Correlation = looks at a current event and compares it to historical action patterns

Behavioral Correlation – What is it?

Jane typically logs into a US based device every weekday between 9am and 6pm.

But if she travels to Munich and attempts to login, behavioral correlation determines that this login does not match her usual patterns.

That action could push a pre-set policy for this situation into effect, requiring Jane to provide additional information, such as a one-time password sent to her phone.

Behavioral Correlation – How it Works

Because it’s such a new concept, most identity management platforms do not have the infrastructure to handle behavioral correlation.

But it should live in identity management, so the most innovative vendors are closing examining it.

Behavioral Correlation & Identity Management

So…do you need correlation?...

In short, maybe…

It all depends on what you’re trying to do.

But your identity management vendor should be able to help you determine which type of correlation you need.

As it relates to correlation, an identity management platform should include:

• Identity Correlation as a component• Ability to work in conjunction with a SIEM tool• Future plans to offer Behavioral Correlation

capabilities

To learn more about the different types of correlation, read our guidebook, Do You Need Correlation?