Your business ecosystem: An ill-fitting Jigsaw Puzzle?
SilverLake MasterSAM’s Managing Director, Sanjeev Dhar, recently talked with Enterprise IT News about privileged access management (PAM), and the challenges it faces, more specifically something called dark space, that comes around as the result of something called the Collective.
Read more below.
EITN: Targets have shifted with the Internet of Things (IoT) and mobile devices and so on – how does this create dark space that attackers can exploit?
Sanjeev Dhar: Targets have evolved from Servers to Applications to Desktops to Browsers to Mobile to IoT to Nations and Populations …
The target landscape has changed today to systems that are complex and multi-dimensional; We believe application/system integration has gone beyond manageability and as it does, we as human beings have automated it, as always, to control the risk.
What are the real challenges in application integration? The real challenge is “the Collective”
The obvious challenge is getting the independently designed systems and various disparate technologies to work together. The real challenge is getting all the people who represent the wide and varied parts of the enterprise to work together.
A typical bank has a least 6 main business areas, 8 delivery channels, 4 different computing platforms, 4 service providers, a few software environments, some recent technologies and a network/communications group.
Added together, this makes at least 24 different domains. Together with the types of people active in projects, maintenance and support who vary from full-time staff, contractors, software suppliers and consultants, this is a complex situation – but it is the normal state of a bank today.
Today, we attempt to manage and execute multiple projects, enhance and support the entire IT facility in the same manner as for the last 2 decades.
People are expected to work together in a full privileged access management or PAM implementation project (which involves a very high degree of integration), so every PAM implementation becomes an integration project.
And we tend to think they work well together. However, they are constrained by the current process of integration methodology. The problem is not obvious in individual pieces of work; each part itself is not a problem. However, any disparity between two parts (unknowingly or otherwise) contributes to further issues in all the other parts.
This is a problem of the Collective.
The problem of the Collective is not diplomatic. We cannot go and tell someone “I have solved the problem of the Collective” because, the answer we would get is “I don’t have a problem with my Collective”.
When you have a “Collective”, there is “Dark Matter” of the Collective. Something you cannot detect with the tools you normally use to detect, although this is something that definitely exists because you see its effects.
If you look at any project and you take the subject of integration, you actually will see this representation.
It’s those elements that are unclear. There are a lot of people involved, the circles are unclear, the words are unclear, something you can’t even see and you have this strange suspicion that there is something behind it all that we don’t entirely know about.
This is our integration project today.
But why would anybody consciously create a problem like this? The fact remains it is no single individual of the collective who consciously does negative things, none of us do. It’s our interaction that creates the dark matter and makes it look like this.
Dark Matter will always be created when more than one person works together. You cannot see nor touch it, but it exists. All you can see are the events that result from it.
The target landscape has changed today to systems that are complex and multi-dimensional; and every complex (and highly integrated) system creates something I call dark matter; which almost always exists in every infrastructure, in every network, in every software, business applications, in every file format and so on.
This is what the attackers are exploiting.
EITN: Please share how machine learning can help build a robust and effective PAM solution.
Sanjeev: Deep learning algorithms, a segment of Machine Learning, involves processing and learning overtime, which thereafter assists in grouping and classifying user activities of similar nature.
Such a methodical classification of activities addresses the problem of finding a “needle in the haystack”. The Security officer can identify and perform reviews more efficiently, thereby enhancing security functions in a productive manner.
Any user activity that deviates from standard operating procedure will be escalated for detailed analysis and review, helping operations to mitigate risks.
With AI-assisted technology, all user activities may be continuously machine-monitored. Actions leading to potential unauthorised or fraudulent activity provides a basis for prediction of such activity.
This complements existing powerful rules-based filtering methodologies, further enhancing the detection of fraudulent activities.
The predictive nature of this feature mitigates risk and helps to circumvent unwanted operational / risk cost implications.
Overall, this yields key benefits listed below:
Boost Productivity: Exceptions are flagged automatically in real-time, improving surveillance and investigations, thereby, increasing the efficiency and productivity.
Real-time Review and Notifications: Remedial actions taken near real-time prevent and reduce negative impacts of unauthorised or fraudulent actions
Fraud Prevention: Prediction of unauthorised or fraudulent activities, allow for preventive measures to take place.
So, what does Artificial Intelligence mean for PAM?
It is now possible for us to achieve relevance, precision and personalisation at scale – and the way we achieve it is as follows:
- Activity surveillance (we gather Intelligence from within our network using our PAM infrastructure)
- Activity classification – (we classify activities and gain relevance)
- Activity scoring and anomaly detection (based on deep learning data model) – this gives us precision … much easier and faster for a computer to do this than a human being eyeballing stuff.
- Manual review still exists because we still need to train the models until enough data is available to give it accuracy. This is to classify an anomaly or the new normal in threats.
- Update the data model (which then creates a positive feedback loop).This gives us personalisation
Further Real-Time Detection And Remediation is also achieved:
- Unauthorised activity is detected by the real-time streaming and scoring component using deep-learning image classification models.
- The Security officer is alerted of unauthorised activity via the real-time streaming and scoring component.
- The Security officer then begins to monitor and review the activity.
- The Security officer can decide to delegate for intervening action if necessary.
- The Security officer then classifies the activity, which is then used as a feedback into the system for iterative/reinforcement learning.
Behavioural analytics is quickly becoming the cornerstone of almost every info security technology. However, it takes a lot more than simply analysing user activity with rules and statistics, it takes applying ML (Machine Learning) to access activity data, as well as employing AI (Artificial Intelligence) to reduce false positives and accurately risk score.
Two critical capabilities that we continue to address in our products is to enable automated risk response. Those lacking machine-based cognitive abilities have come to rely on static pattern definitions, signatures and policies for a legacy world of known good and bad. Today, we must assume compromise and assess risk, even more importantly for privileged accounts that hold the access keys to IT environments.
That said, we (as part of our collaboration initiatives with our in-house RnD & technology partners) have come to grasp the ideologies of applying the concepts of data analytics to access the activity data to better judge the validity by risk scoring.
This is an approach that leverages the latest in ML and AI capabilities, and requires us to innovate and have a keen understanding of behavioural and predictive algorithms to deliver predictive security analytics to identify access risks and unknown threats. Nowhere is this truer than with controlling access to enterprise resources using privileged accounts and entitlements.
EITN: Please share what is a security data warehouse, and what it is for, and how you can set it up.
Sanjeev: Surveillance is at the core of PAM.
One can record each access to an endpoint – regardless of methods of login; remote, console, leapfrogging; with flexibility to record the entire session, by specific program/application or active windows. This way we can achieve full transparency and disclosure.
intelligence begins by collecting everything. So, in any organisation, the most important entity we set up (by means of a full MasterSAM PAM implementation) is a security data warehouse – in our MasterSAM Analyst solution.
Everything (every event) goes in there. Everything that can be co-related, classified, analysed and predicted upon.
It runs tight intelligence in the entire organisation (network) because fundamentally there is no price you can put on historical data. The importance of historical data increases exponentially with time. Fortunately, the cost of data storage is not high (which is decreasing with cloud enablement). So, we can now afford to aggregate all this data.
But where is all this data coming from? There are several solutions that sell threat intelligence. But, you have to look within to get your own threat intelligence. You have to look inside your own organisation, observe it and build your intelligence yourselves.
What all this means is, implementing a full MasterSAM PAM infrastructure in an organisation, is only part of the building blocks; what creates value is to include all “targets” onto this PAM infrastructure at the onset and then let it learn and build the security data warehouse.
This results in a custom-made data model for that organisation and wherein we apply specific ML algorithms to achieve/chase specific results.
EITN: Rules-based vs intelligence-based security – what is this?
Sanjeev: The need for real-time analysis is becoming an increasing problem in PAM which ensures that users have access to only the applications and data that they need.
Once attackers have access, they have the same privileges as the user that they stole from, which puts enterprise data and applications at risk.
Administrators could code rules to try and stop unauthorised logins. The obvious approach is to figure out how users should be accessing the network, and then establish rules that stop them doing anything else.
In practice, though, a world of flexible working, remote contractors and changing business conditions means that access patterns vary between employees, and evolve over time. That makes it more difficult for IT administrators to define rules accurately and keep them up to date.
This is where machine learning comes in. Rather than hand coding these rules individually, companies can instead use these algorithms to ‘learn’ how users behave over time.
Machine learning software takes an original approach to processing data. Instead of following explicit step-by-step rules to analyse each new piece of data in the same way, it makes the computing equivalent of a judgement call, based on data that it has already seen. Our team ‘teaches’ the machine learning software (by building data models) to look for certain characteristics in data by feeding it all the surveillance data from the network 24×7, resulting in a security data warehouse.
What does it mean for PAM?
Administrators trying to secure networks have a big problem which is speed. Computer systems deal with traffic on a per-second basis, and security algorithms must spot attacks in that traffic in real-time to stop intruders sneaking in unnoticed.
That makes cybersecurity difficult for administrators to handle.