1. Stop Attacks at the Perimeter The Identity Perimeter June,
2015
2. 2Stop Attacks at the Perimeter The Identity Perimeter James
Romer Technical Director EMEA SecureAuth
3. Why Identity is the Perimeter you Need to Care About
4. 4Stop Attacks at the Perimeter The Identity Perimeter
5. 5Stop Attacks at the Perimeter The Identity Perimeter The
reality is. Preventative measures are failing Were never going to
totally stop an attack There are humans involved (on both sides)
Passwords are no longer good enough
6. 6Stop Attacks at the Perimeter The Identity Perimeter Lets
Examine an Attack
7. 7Stop Attacks at the Perimeter The Identity Perimeter
Traditional Perimeter
8. 8Stop Attacks at the Perimeter The Identity Perimeter
Identity as The Perimeter
9. 9Stop Attacks at the Perimeter The Identity Perimeter +
Unlike other systems, identity alerts will not overload the SIEM +
These events should not happen and as a result are high fidelity +
Identity data can include: IP reputation data Geo-location
Geo-velocity Geo-fencing Device analysis Behavioral analysis
Identity store analysis SIEM and Alert Fatigue
10. 10Stop Attacks at the Perimeter The Identity Perimeter Case
Study: Target
11. 11Stop Attacks at the Perimeter The Identity Perimeter Why
Are We Waiting to be Breached? Two in Five ITDMs State Their Only
Method of Access Control Is User ID and Password 39% Source:
SecureAuth survey of 500 ITDMS in the UK. Conducted by Opinimum
Research in March 2015
12. 12Stop Attacks at the Perimeter The Identity Perimeter
Moving Beyond the Password Already there 7% In the next 12 months
22% In 1 - 5 years 36% No plans to move 24% Dont know 11% Source:
SecureAuth survey of 500 ITDMS in the UK. Conducted by Opinimum
Research in March 2015
13. Protecting the Identity
14. 15Stop Attacks at the Perimeter The Identity Perimeter +
Protection must be where credentials are used + Adding something
the user has + Adaptive approaches + Tighter security has a price
How Do You Protect the Identity?
15. Two-Factor Authentication
16. 17Stop Attacks at the Perimeter The Identity Perimeter +
Two-factor authentication can be modern Seek solutions beyond
hardware token Dozens of second factor methods exist Ensure
authentication workflows are flexible and fit your organizations
needs Consider biometrics as a second factor Two-Factor
Authentication
19. 20Stop Attacks at the Perimeter The Identity Perimeter
Adaptive Authentication Using an open-ended variety of
identity-relevant data to incrementally elevate the trust in a
claimed identity* IP reputation data Device analysis Geo-location
Behavioral analysis Geo-fencing Identity story analysis
Geo-velocity And more *Gartner - A Taxonomy of User Authentication
Methods, April 2014
20. 21Stop Attacks at the Perimeter The Identity Perimeter
Device Analysis First-time authentication - register the device
fingerprint Subsequent authentications - validate the device
against a stored fingerprint Fingerprints include characteristics
about a device such as: web browser configuration device IP address
language screen resolution installed fonts browser cookies settings
browser plugin time zone
21. 22Stop Attacks at the Perimeter The Identity Perimeter IP
Reputation Data
22. 23Stop Attacks at the Perimeter The Identity Perimeter
Identity Store Lookup + Compare information to identities kept in a
directory or user store - Privileged users - Group membership -
Object attributes
23. 24Stop Attacks at the Perimeter The Identity Perimeter
Geo-location + Compare the current geographical location against
known good/bad locations
24. 25Stop Attacks at the Perimeter The Identity Perimeter
Geo-fencing + Determine if the authentication location is within a
geographical area or virtual barrier
25. 26Stop Attacks at the Perimeter The Identity Perimeter
Geo-velocity + Compare current location and login history to
determine whether an improbable travel event has occurred
26. 27Stop Attacks at the Perimeter The Identity Perimeter
Analyze behavior that can be used to verify a person Gather and
store characteristics about the way the user interacts with a
device such as: Keystroke dynamics Mouse motion Touch motion
Behavioral Analysis
27. 28Stop Attacks at the Perimeter The Identity Perimeter
Where does it help?
28. 29Stop Attacks at the Perimeter The Identity Perimeter
Putting it all together
29. Threat detection around identity
30. 31Stop Attacks at the Perimeter The Identity Perimeter
Identity Data is The Key + Detecting attackers operating with
legitimate credentials is challenging + Mean time to detection is
205 days* + Security policies must shift focus to stolen
credentials and lateral movement + Adaptive authentication data can
fill this blind spot + Correlation pulls together events and
pinpoints incidents Source: 2015 Mandiant M-Trends Report
31. 32Stop Attacks at the Perimeter The Identity Perimeter The
Value of Alerting + Why send more to the SIEM? Adaptive
authentication data and associated alerts are high fidelity Risk
based alerting identifies deliberate actions that may be suspicious
and warrant investigation Proactive alerting includes observing
identities and systems
32. 33Stop Attacks at the Perimeter The Identity Perimeter Look
at the Data + Identity attribution data is extremely valuable
during an investigation and the following incident response + This
data may include: User name Group membership IP address
Geographical location of the IP Classification of the IP The system
that the identity was attempting to access Behavioral profile
33. 34Stop Attacks at the Perimeter The Identity Perimeter An
Authentication Ecosystem - The Return Path + Security practitioners
should be interacting with authentication systems during an attack
+ Policy changes should be made in real time + Example of change:
Identity Step-up Identity Lockdown System Step-up System Lockdown +
A rich API can enable this in practice
34. 35Stop Attacks at the Perimeter The Identity Perimeter
Identity Containment - Automatically Stop Attacks
35. 36Stop Attacks at the Perimeter The Identity Perimeter An
Identity Safety Net
36. 37Stop Attacks at the Perimeter The Identity Perimeter
Summary + Identity is the perimeter to care most about + Emerging
practices can better protect against threats + Focus and enrich
security policy around authentication
37. The intellectual content within this document is the
property of SecureAuth and must not be shared without prior
consent.