As a network architect and engineer, I was occasionally tapped by enterprises to forensically reconstruct events from packets. I could never be fast-enough. Relating an edge IP-address to a real person- working with a variety of applications on the inside of a network - was always more of an identity challenge than a packet parsing exercise.
Today, machine-learning is the preferred method for correlating identity, applications, and user behavior. Security monitoring and interventions can now be done without packet analysis, in real-time. Cloud Identity Access Management (Cloud IAM) has taken it to the next level. OneLogin’s Cloud IAM platform, for example, is exceptionally good at pulling together the security relevant information. With single-sign-on (SSO) we know who logged in, which applications they accessed, when they accessed those resources, and how. When combined with l Privileged Access Management and monitoring (PAM), SIEM logging, and User Entity Behavioral Analytics (UEBA) solutions watching for aberrant behavior inside those applications, security professionals have a chance to prevent perimeter security threats.
Securing and unifying wired and wireless access with single sign-on and multi-factor step-up protection are just the tip of the spear. As an Identity best practice, most organizations deploy RADIUS within the perimeter, so that both ACI and ACL logging and SaaS web application access behind the firewall can be correlated with user identity. So, if something suspicious is detected, access can be appropriately challenged, modified or, if necessary, locked in near-real time. (See this workflow in action on Cisco and OneLogin Webinar)
When you bolster security with cloud-hosted single-sign-on and multi-factor authentication (MFA), you’ll have the richest datastore of intentional application access and correlated user-identity behavior data. Ideally, this should be comprehensive across all your applications and desktop and mobile endpoints.
What’s left? There’s still significant identity information from web-application usage, browsing, and buying which is usually cornered by social-media, service providers, retail-commerce and financial institutions scraping and correlating weblogs. That data is decentralized and quite expensive to acquire for security forensics. However, there are clever strategies to re-unify intentional and rogue identity/access data for security purposes. When it comes to IAM, there’s nothing better than combining the power of DNS with IAM intelligence.
OneLogin and Cisco
We are excited to announce a new tool, in partnership with Cisco, to help organizations discover cloud applications in their environment and evaluate their security posture. Our discovery tool leverages data and intelligence from Cisco Umbrella and OneLogin to evaluate organizations understand and address their identity compliance woes. All you need is a Cisco Umbrella subscription or trial!
Combining DNS traffic monitoring with Identity and Access information, the report reveals everyday risks associated with corporate sanctioned and unsanctioned application usage. CSO’s typically approach discovery data in one of two ways: 1) ostrich (with their head in the sand) or 2) raptor (immediately picking off risky applications one at a time). Working with our more aggressive CSOs, we can provide early insights about corporate user behavior and these early findings represent a vast improvement over what could be discovered from forensic packet-sniffing alone. That’s the good news.
Unfortunately, with visibility comes realization around new questions of risk that we all wish we could unsee:
For instance, all monitored environments report a blend of corporate, private, and personal webmail. Unsanctioned file-sharing also remains persistent. As security professionals, I wonder if we are too quick to accept the status-quo where exfiltration risks like these are constant.
From our findings, it appears that corporate VPNs—which are designed to protect—carry the bulk of risky application traffic. This likely stems from mobile device operating systems leaking personally identifiable information (PII) across personal and work applications and tunneling unsanctioned cloud traffic back into the corporate environment via the mobile device. As we redefine what constitutes an edge for cloud security, the mobile VPN era also needs to evolve. Applying SAML is now a best practice because it curtails the VPNs from leaking passwords, but aberrant behaviors caught by CASBs are now even more vital for catching compromised devices.
Finally, I would be remiss not to count the number of bad-passwords that are coupled with unsanctioned, high-risk applications discovered by monitoring DNS traffic. Countless reports from Verizon, Cisco, and other analysts that users use the same password patterns across sanctioned and unsanctioned apps, leaving them vulnerable to smart phishing attacks. Hackers phishing for those patterns will keep an enterprise’s risk-score high until the number of passwords are reduced, replaced, or protected with MFA.
As with any tool, local knowledge is required to place findings in the appropriate context. But, I remain hopeful that we can help reduce the number of risky apps and risks from the proliferation of passwords identified with OneLogin’s new discovery tool. By calling out these vulnerabilities, advocates can use the reports’ metrics to reconcile shadow IT projects and achieve productive organizational change.
We’ll be at Cisco Live 2019, June 9-13. Stop by our booth for a OneLogin demo, a chance to win an iPad, and discuss our approach to cloud risk assessment. If you’re a Cisco Umbrella user, stop by to learn how to immediately deploy our free cloud risk discovery engine and build its results into your own customized professional services report.
Benjamin H. Sherman, Ph.D.