1. 1. Stop Attacks at the Perimeter The Identity Perimeter June, 2015
2. 2. 2Stop Attacks at the Perimeter The Identity Perimeter James Romer Technical Director EMEA SecureAuth
3. 3. Why Identity is the Perimeter you Need to Care About
4. 4. 4Stop Attacks at the Perimeter The Identity Perimeter
5. 5. 5Stop Attacks at the Perimeter The Identity Perimeter The reality is. Preventative measures are failing Were never going to totally stop an attack There are humans involved (on both sides) Passwords are no longer good enough
6. 6. 6Stop Attacks at the Perimeter The Identity Perimeter Lets Examine an Attack
7. 7. 7Stop Attacks at the Perimeter The Identity Perimeter Traditional Perimeter
8. 8. 8Stop Attacks at the Perimeter The Identity Perimeter Identity as The Perimeter
9. 9. 9Stop Attacks at the Perimeter The Identity Perimeter + Unlike other systems, identity alerts will not overload the SIEM + These events should not happen and as a result are high fidelity + Identity data can include: IP reputation data Geo-location Geo-velocity Geo-fencing Device analysis Behavioral analysis Identity store analysis SIEM and Alert Fatigue
10. 10. 10Stop Attacks at the Perimeter The Identity Perimeter Case Study: Target
11. 11. 11Stop Attacks at the Perimeter The Identity Perimeter Why Are We Waiting to be Breached? Two in Five ITDMs State Their Only Method of Access Control Is User ID and Password 39% Source: SecureAuth survey of 500 ITDMS in the UK. Conducted by Opinimum Research in March 2015
12. 12. 12Stop Attacks at the Perimeter The Identity Perimeter Moving Beyond the Password Already there 7% In the next 12 months 22% In 1 - 5 years 36% No plans to move 24% Dont know 11% Source: SecureAuth survey of 500 ITDMS in the UK. Conducted by Opinimum Research in March 2015
13. 13. Protecting the Identity
14. 14. 15Stop Attacks at the Perimeter The Identity Perimeter + Protection must be where credentials are used + Adding something the user has + Adaptive approaches + Tighter security has a price How Do You Protect the Identity?
15. 15. Two-Factor Authentication
16. 16. 17Stop Attacks at the Perimeter The Identity Perimeter + Two-factor authentication can be modern Seek solutions beyond hardware token Dozens of second factor methods exist Ensure authentication workflows are flexible and fit your organizations needs Consider biometrics as a second factor Two-Factor Authentication
17. 17. 18Stop Attacks at the Perimeter The Identity Perimeter Examples of Two-Factor Methods 1. SMS OTP 8. CAC 15. Device Fingerprinting 2. Telephony OTP 9. PIV Card 16. Yubikey (USB) 3. Email OTP 10. Push Notification 17. Password 4. Static PIN 11. Mobile OATH Token 18. Social IDs 5. KBA/KBQ 12. Browser OATH Token 19. Federated IDs 6. X.509 Native 13. Desktop OATH Token 20. Kerberos 7. X.509 Java 14. Third-party OATH Token 21. Help Desk
18. 18. Adaptive Authentication
19. 19. 20Stop Attacks at the Perimeter The Identity Perimeter Adaptive Authentication Using an open-ended variety of identity-relevant data to incrementally elevate the trust in a claimed identity* IP reputation data Device analysis Geo-location Behavioral analysis Geo-fencing Identity story analysis Geo-velocity And more *Gartner - A Taxonomy of User Authentication Methods, April 2014
20. 20. 21Stop Attacks at the Perimeter The Identity Perimeter Device Analysis First-time authentication - register the device fingerprint Subsequent authentications - validate the device against a stored fingerprint Fingerprints include characteristics about a device such as: web browser configuration device IP address language screen resolution installed fonts browser cookies settings browser plugin time zone
21. 21. 22Stop Attacks at the Perimeter The Identity Perimeter IP Reputation Data
22. 22. 23Stop Attacks at the Perimeter The Identity Perimeter Identity Store Lookup + Compare information to identities kept in a directory or user store - Privileged users - Group membership - Object attributes
23. 23. 24Stop Attacks at the Perimeter The Identity Perimeter Geo-location + Compare the current geographical location against known good/bad locations
24. 24. 25Stop Attacks at the Perimeter The Identity Perimeter Geo-fencing + Determine if the authentication location is within a geographical area or virtual barrier
25. 25. 26Stop Attacks at the Perimeter The Identity Perimeter Geo-velocity + Compare current location and login history to determine whether an improbable travel event has occurred
26. 26. 27Stop Attacks at the Perimeter The Identity Perimeter Analyze behavior that can be used to verify a person Gather and store characteristics about the way the user interacts with a device such as: Keystroke dynamics Mouse motion Touch motion Behavioral Analysis
27. 27. 28Stop Attacks at the Perimeter The Identity Perimeter Where does it help?
28. 28. 29Stop Attacks at the Perimeter The Identity Perimeter Putting it all together
29. 29. Threat detection around identity
30. 30. 31Stop Attacks at the Perimeter The Identity Perimeter Identity Data is The Key + Detecting attackers operating with legitimate credentials is challenging + Mean time to detection is 205 days* + Security policies must shift focus to stolen credentials and lateral movement + Adaptive authentication data can fill this blind spot + Correlation pulls together events and pinpoints incidents Source: 2015 Mandiant M-Trends Report
31. 31. 32Stop Attacks at the Perimeter The Identity Perimeter The Value of Alerting + Why send more to the SIEM? Adaptive authentication data and associated alerts are high fidelity Risk based alerting identifies deliberate actions that may be suspicious and warrant investigation Proactive alerting includes observing identities and systems
32. 32. 33Stop Attacks at the Perimeter The Identity Perimeter Look at the Data + Identity attribution data is extremely valuable during an investigation and the following incident response + This data may include: User name Group membership IP address Geographical location of the IP Classification of the IP The system that the identity was attempting to access Behavioral profile
33. 33. 34Stop Attacks at the Perimeter The Identity Perimeter An Authentication Ecosystem - The Return Path + Security practitioners should be interacting with authentication systems during an attack + Policy changes should be made in real time + Example of change: Identity Step-up Identity Lockdown System Step-up System Lockdown + A rich API can enable this in practice
34. 34. 35Stop Attacks at the Perimeter The Identity Perimeter Identity Containment - Automatically Stop Attacks
35. 35. 36Stop Attacks at the Perimeter The Identity Perimeter An Identity Safety Net
36. 36. 37Stop Attacks at the Perimeter The Identity Perimeter Summary + Identity is the perimeter to care most about + Emerging practices can better protect against threats + Focus and enrich security policy around authentication
37. 37. The intellectual content within this document is the property of SecureAuth and must not be shared without prior consent.