Event Recording

Bernard Montel: Cyber Defense : The New Concept of iSOC - Where Identity and SOC Has Never Been Tighter


Log in and watch the full video!

With the introduction of AI, machine learning and UEBA, the SOC objective is to detect abnormal behavior. More than ever Identity is the battleground in this new concept of iSOC.

During this keynote, you will learn how Identity Governance and SOC need to be tight and how to remediate when a threat is detected on a specific Identity with the concept of "Threat Aware Authentication".

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Okay, so again, so thanks lot for, for the introduction, as you said, I'm Theia field CTO, I'm part of the CTO office of RSA and, and today the subject I wanted to, to share with you, I would have wished to, to do it physically, but it's very important. Thanks for, for you copy a call to maintain the link between us with cyber security event virtually. So yes, the subject and the theme for today for my presentation is something I called the new concept of ISOC. This is not a new, I gadget again, I'm, I'm working for RSA, but this is clearly a trend. And you know, a subject where the identity, which is as, as you mentioned in, in the introduction, one of my background and never been tighter to the security operations center. And I want to present today. This let's go ahead. But before going to directly the subject, I think most of us, if it's not all of us, you know, not so long ago, we knew 15 years ago, roughly that our security landscape was very different.
We were managing networks, you know, firewalls, VPN, antivirus, authentication, and, and the goal. And the challenge that we had was to protect that network from intrusion. Our mission in fact, was to protect was I'm I'm calling the castle and, and the parameter, everything inside the network was considered as a safe place and everything outside, you know, was not secured. And so our mission was to keep the bad guys out. So to detect intrusions, we invented the concept concept of SIM security incident and event management. So I just use a little Bible sentence, let there be the seam. And there, there was a light, the goal was to collect all the devices logs and to put all those logs into a central point, to be able to detect intrusions and generate alerts. In fact, collecting those logs, making them to one place that was a same challenge and the same mandate, the main, you know, use cases that we wanted to, to detect was intrusion network intrusions, deny of services, any kind of vulnerabilities.
Now, sometimes as well, the sea was used for post mortem investigation, but the main issue with the seam was, and still today, when, if we didn't have any alert, we didn't have any threat. If you go back to the castle analogy, the scene was like the Sentinel in front of the front door of the castle, trying to find out if there is any bad guy trying to enter inside this, you know, perimeter. And that was the parameter we wanted to protect like, like, like really a kind of a church going back to the Bible analogy, but no alert was meaning no threat, an Analyst using a seam without having any alert was completely blind if he had any kind of threats. But most of the time we're making confusion between intrusion and breach. As you can see in the title of that slide, you know, this is clearly an evolution in our mindset, because if you look at the use cases, what is an intrusion intrusion is someone that has bypassed a control, which is in place at a network level, at the endpoint level or at the application level, the control has been put it in place and someone find a way to bypass it.
The main use case, or let's say categories of, of, of, yeah. Use case that we want to cover with intrusion are mainly network penetration, malware detection, or a vulnerability that has been used. A bridge is much more. We are living in a state of compromise when we change that mindset. That mean that we know that our network today or the place or application could be compromised. Anyway, it's not only trying to detect what is going in, but also what is going out. It's a in and out problem with a breach, when a breach happen, we have to have the full attack visibility in order to remedy and respond. But we also have to answer to two main questions who, and what if I make another analogy? Yeah. Potentially in the middle age of that castle period of time, intrusion and breach was the same when a, when a castle was breach.
That mean that someone came in and that was one of the stuff that the Sentinel wanted to to do. But if I make another analogy, when someone breaks into your house, you clearly have an intrusion, but if nothing happens and then the peop the bad guys going out without stealing anything, it was just an intrusion. If, if he stole something, then we have a bridge and what, what are we doing? We are making a long investigation to find out what are the extent of the damage. That is the main difference between an intrusion and a bridge. This is also the main difference between the role of a seam and the mission of a SOC security operation center. Now, in those logs, in the middle to achieve a security operation center, in fact, what we've done step by step progressively, we had it more and more features, technologies process, and obviously people, but, you know, we wanted to detect and understand vulnerabilities.
We also wanted to have the full visibility in the network up to the end point. We need to have a clear data protection and sometimes data leak prevention, threaten tail threat detection oriented in order to aggregate all those alerts and to scale. That was the mission of a, so, as you mentioned in my introduction for more than roughly 20 years at RSA, for the past six, seven years, I had the opportunity to meet a lot of customers in their security operation centers, more and more data, more and more alerts, sometimes hundreds or many hundreds alerts per day. That was, and still is the challenge of the security Analyst. The secret journalists say to me, but Bernard, we have clearly an alert, fatigue. It's very difficult to find within, you know, this amount of data, what is important and what is not important.
So then the parameter exploded. We all know that today. We all know that our castle or the parameter around whatever the size of the wall, or if the world is thick, it's not enough anymore because that castle doesn't exist anymore. With mobile access cloud adoption. I T in some of the industries and island of identities everywhere, the parameter doesn't exist anymore. It's the reality is not even a debate. So we introduced machine learning and artificial intelligence. As you mentioned in my, in your introduction, I've got a background in artificial intelligence as well, and I can understand why finally the machine needed to help, help. I need somebody help, which is one of my favorite band. If you know this sentence, in fact, we introduced real time, risk engine, statistical analysis and machine learning to achieve one goal, not only to protect, but also to detect target threats and respond.
Ideally Analyst, what Analyst want today. He's Hey, Siri, can you find the bad guy for me, please? That would be great now to just, you know, press a button and find with machine learning and artificial intelligence, more threat than what we can do today. It's a little bit of dream, but we introduced very recently in one of those features and function one path, which is very important called U E B. If you never seen this a acronym, and we have a ton of aro in our industry, this is user entity and analytics analysis, but part is very important here and which is new. And you will understand why I'm calling that ISO. We're not trying to find if a network level has been compromised. We try to find here if a specific user, the you of U E B a as a bad behavior or a behavior, which is abnormal abnormal doesn't mean mal shoes.
First, it could be suspicious. But then with U E B a user and entity, behavioral analytics, we are focusing much more on the identity. On the user itself. We are helped by the machine learning, you know, capacity, but the goal is now not to track. If there is an even vulnerability, we will consider there is a vulnerability, but the goal is to track. If there is a specific user, having a bizarre behavior, this is the link between the classical so and the new eyes. O in fact, we try to find out if there is a bad access in identity, what kind of access do we have? We have the access that the user have when someone has granted me an access. I have a specific access. When I have a strong authentication. For example, someone is giving me access for a certain period of time to an application.
The second kind of access is the access that the user should have. And the third kind of access is the access that the user really have. If you look at those three main domain, you will recognize the access control, black, white. You give me access now to this specific application, the identity is the visibility on all of the access I should have. And sometimes there is some gaps. For example, if someone is leaving a company, you shouldn't have that access, but it has it anyway, because we didn't position the lever access properly. And the security operation center, what is the goal is to find out what's the access that user really have finding the network and exactly, Hey, capturing this season access that never seen before. And this is how U E B a in fact is helping here and in the middle of those three access kind of categories of access, we have a trend which is now called zero trust. I know we talked about it this morning, but I will redefine a little bit about that new concept. Is it really new? Let's see.
So is O with a zero trust mindset we have now the identity, which is in the middle of the so challenge or the SOC mission, we need identity visibility. We also need identity insight that we can be translated of in analysis in order to do and find the right action. As I said to you, to you at the beginning, I don't think that the zero trust is not a product. It's not really a feature. Sometimes. You know, some vendors ask claiming, Hey, yes, we have zero trust solution for you. It's not really new as well. Let's step back again. In 1976, ser a professor in the, you know, famous MIT and introduce for the first time, this notion of least privilege. I'm pretty sure all of us, you know, around, you know, this event with a lot of identity background, we know that concept or notion, least amount of privilege.
If someone want to, you know, complete a job or task, or having access to a system, we need to give him the least amount of privilege, you know, in order to do that task no more. That was already something which is, Hey, I'm not trusting. We need to give as, as less as possible at the same period of time, three famous people at RSA, we know them very well, reverse chime net man. And before them, you know, DP, L man and introduced the notion of publicly cryptography or publicly and infrastructures in the middle of that P we also had a trust, but the trust in this way was not something positive. It was viewed as a negative term. First of all, in cyber security, we do not trust. We, it is not the same way in a normal life where we have some friends or people we know physically, and we have a human relationship. We trust people. Now, in this case first, we don't trust an example. If a certificate authority was not trusted anymore, then the entire transactions were compromised. So again, trusted, but in a negative way, then in the mid nineties, exactly 1994, a working group has been created to develop the idea of de parametrization. It was early stages, but today we are, we know it today. That it's the reality. Why? Because they thought that the core network couldn't be trusted anymore.
In early 2000, the network platform today at RSA has been developed to capture, analyze this network, capturing and analyzing the legitimate network to find in this network that we think is safe. If there is any potential threats, we cutting that the white space, everything that has been filtered is not analyzed because it already blocked. But when we go to, you know, this legitimate network, we need to find some threats. So at the end of the day, zero trust for is much more an evolution. It's a mindset. And if we do risk driven approach, then clearly this exists for decades. Now, going back to the ISO concept with an identity, triage, identity assurance, access assurance, and activity assurance, combining identity and SOC, those are the features and functions to support this identity triage, continuous monitoring, deep visibility in access and entitlement risk based authentication on the identity part, but also linking those access to the logs, the network, and the endpoint being able to in real time, coordinate action and answer.
But obviously having in mind that this need to be driven by risk with a business context to finish. I want to show you just a use case. Imagine, you know, the stock is detecting an identity, which is compromised by having, for example, the U E B a user identity behavior analytics, which is detecting an abnormal identity usage. An alert is raised, and then an investigation need to begin with the identity context context from the identity. We clearly have an identity scanner with an identity solution giving whole visibility into the sock. Like we have vulnerability scanners, you know, identity solutions are identity scanners, and then need to give the context back to the SOC Analyst immediately as a remediation plan, or I remediation action. We can modify on the fly, this specific entitlement that has been used by the bad guy, just because potentially it was not well positioned, or it has been compromised for making an escalation of privilege that what we can do as well is to step up the authentication on that specific identity. I want that the sock that is press a button and then immediately the MFA consume the fact that is a threat related to that specific identity. And step up the authentication. We're calling that the threat aware access and authentication of an I. So thanks a lot.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00