Webinar Recording

Reducing Risk with User Behavior Analytics (UBA)

Log in and watch the full video!

Artificial Intelligence (AI) and Machine Learning have matured to the point where making use of analytics in Security broadly is possible. With this more specifically in Identity & Access Management is now possible. One of the most interesting applications of such analytics has been in managing privileged identities and accounts. Given that such identities and accounts have access to sensitive and business critical data, it is very important to ensure that they are not only protected, but also monitored in real time for anomalies in behavior. The use of User Behavior Analytics (UBA) to monitor access to privileged accounts helps organizations reduce risk while simultaneously accelerating business growth and expansion.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and Tren, depending on the time zone. Good morning, ladies and Tren. Welcome to our KuppingerCole webinar. Reducing risk with use behavior analytics. This webinar is supported by CA technologies. The speakers today are me Martin Kuppinger I'm CEO, founder, and principle Analyst at Koa Cole and mark McGovern who's. We vice president of product management at CA technologies. Before we started, before we dive into the topic of how can we use advanced analytical technologies to reduce the risks associated with cyber attacks, but also with internal attackers, I just wanna quickly talk about career Cole, upcoming events and provide some housekeeping information. Before we done directly start into to the presentations. Ko Cole is an Analyst company we're headquarter in Germany, but have people in the us, UK and the Australia in Australia, and then other countries, we are specialized in information security, have strong focus on the identity access management space, but also other areas of information, securities, and a variety of topics around the digital transformation.
Our business areas are research events and advisory. So in the research area, we look at different types of research in the event area. So we do leadership and other stuff. In the event area, we do our webinars, you know, we do other events, all touches in a minute. And then we do advisory to those end user organizations and system integrators for end user organizations, the focuses on strategy, roadmap, product selection, that type of things. So this is basically the business we are doing around the topics we cover. We have a couple of upcoming events, which includes the European identity in cloud conference, which is our main went to be held next time, May 9th, 12th in Germany in Munich. And then we do a consumer identity worth tour covering various aspects around a consumer identity, which we will do in APAC. So in Singapore, concretely in August and September and Seattle, and then November and Paris regarding the webinar, here are some guidelines.
So you are muted center, so you don't have to around it yourself. You're controlling these features. We will record the webinar and the recording will be available latest by tomorrow. And then there will be a Q and a session at the end, but as always, you can enter questions at any time. So just feel free to enter the questions in the area questions and the go to webinar control panel once they come to your mind so that we have a long list of questions at the end to have an interesting Q and a session, the agenda. So as always more or less, always split into three parts. In the first part, I will talk about scenarios where analytics fits in the security landscape. I will look at emerging trends and privilege management, and I will look at how to gain insight into use behavior. So giving more, the overview sort of preparing the crown for mark mark McGovern then will talk about insight into some practical challenges organizations are facing in getting analytics to work for privileged identities.
And then as I've said, there's a third element, which is the Q and a session. So I wanted quickly start with sort of the changing requirements. That'll centers is very much around privilege management. So user behavior analytics is bigger than privilege management. However, looking at privileged users currently sort of the, the main focus of most players in the field, just because these are the users, which are most at risk and I'll touches all the later looking at how typically some, some advance targeted attacks are running, which will make this even more clear. So when we look at privilege management, obviously we have an increase in the threats and attacks. So we see more of these. We trust a couple of minutes ago received one of these news, these yearly threat reports of a vendor saying 2016 was the year was the largest number, but also the most sub attacks. We ideally have a challenge of new deployment models. So how do we secure the cloud? We have on the other hand, more and more service provider models. So how do we deal in that way? So how can we control what service providers are doing, which I usually have very highly privileged entitlements in our system. We have to deal with connected things and more data.
We have the challenge of integrating everything. So looking at it in a more consistent way, and we have more and more compliance challenges. And I think this is basically sort of story. We are, we are our situation we are facing. And particularly this changing Strat landscape means we also have to find ways to better address this. And here it's, from my perspective, very helpful to look at how do these threats commonly run and how do they run in a very great example. So we, we have, you might have heard this, the term advanced persistence threat as a term, which is a very common term. So which is threats, which are complex, usually consist of various attack vectors, which are persist in the sense of that. They're long running, that they are not just an automated one time type of attack and they are usually targeted.
And so how do these attacks usually run? So emails are sent to users for instance, based on social fishing, trying to, to, to bring someone to, to install some type my view, whereby clicking a link by opening an attachment, whatever, once the malware is installed, it starts canning the network farther vulnerable system spreads out. It might install other types of malware trying to, to use zero day or exploit. So, so in fact, unknown, non patched exploits installing itself, gaining more privilege and then acting on behalf of other users. And this is I think the point where, where this, this link between what is happening in the attack space and on the other and the one side and on the other side, why do we need to understand the use of behavior becomes very obvious? So in that case, then the attacker is acting on behalf of a user.
And if you start understanding, okay, this is the normal use of behavior, and this is an anomaly, this is an unusual pattern. Then we can potentially better and faster identify attacks. So the person attack scenario than the, the, the, the VIR will start sending data back. So very concretely. And this has been published in a block, the example of the RSA attack, which happened back in 2011, which is a, I think a very good and sort of more or less a really perfect example of how these things work. So the attacker search social networks, they identified employees, and then they were on a spewing attack, recruitment plan DOL. So an attachment containing malware, which is not surprisingly then attractive to some of the readers. So this in recruitment plan that might affect me might be very important to me, open it through day exploit back through that case, a Adobe flash, also another surprise, particularly these days, it had masses of back and flaws remote control with a reverse connect.
So it's connect from inside, out out. So, and that's from outside sort firewalling, but inside out, which usually works far better. If you initiate the connection from the inner side search for accounts, with sufficient privileges gain access, the first accounts down to the sort of the ground rules, seeds of the, that case, the secure ID. And again, them, in fact, there were a lot of accounts used and these accounts started doing things they usually didn't do. This was in fact about anomalies. And so understanding use of behavior is when we look at it from a security perspective, an important element, it allows us to better understand what is happening. And so when we look at the privilege management landscape, where we have the standard element elements such as shared account password management, so avoiding one time passwords and so on accounts can, so identifying all the accounts, we also have the area of session management with the monitoring, the recording of sessions and the sort of the newer blocks of features.
One of the, probably the most important ones is this area of British user behavior analytics and anomaly detection. So we see this as a very strongly and, and also rapidly merging field. And our perspective clearly is that this is important because it helps us sort of closing a little bit the gap between the attackers and the ones who are attacked by being faster and identifying anomalies faster and identifying potential attacks, better understanding what is happening here. So this is what we are doing here. And so from our perspective, when, when you also look at the, sort of the entire journey of identity management, identity, access governance in the journey, this is also an important element. So we see on one hand, we see the intelligence piece. So advanced analytics, understanding more complex relationships, understanding for instance, which users have different entitlements, but this is still more static and ex-post view, which is looking at what is the state, what is wrong in the state?
And it doesn't look at what is the real behavior and someone who has an entitlement not necessarily uses the entitlements the way it is planned. So understanding the user behavior, understanding overall, what is an anomalous behavior becomes a very important thing. So understanding insider attack, identifying high checked accounts, identifying F use all that, all these types of things. So if a, if a user backup operator does one bag, the, the other, the other day that might be trust his Trump, if he does two bag, it might be a challenge because he might do one bag up for himself and put the tape or whatever he uses into his, into his backpack or whatever he asks and take it back home and sell it somewhere else. Or if someone accesses in a bank, whatever 10 or 15 or 50 custom records for data might be his normal behavior.
But if he starts accessing thousands of records, that might be something where he trust trying to collect a lot of data and in the legal way. So user behavior understanding the use of behavior pattern and the anomal Analyst is important. And one this sibling within that is the privilege threat analytics, which focuses that on the privilege to use accounts and the privileged behaviors, because these are the ones which are sort of most at risk at the end day. So this is the evolution we see here beyond privilege management, but where privileged threat analytics still is at the forefront of what is happening happening currently. And this fits very well. And this privileged management life cycle I've created a while ago. So we need to understand first what our challenges, we need to identify our privileged privileged accounts, which might be shared accounts, which, which might be operated and administrator accounts, but which also might be highly privileged business user accounts.
We need to protect them. We need to put the controls, the measures in place we need to monitor, but we also need to detect when things are going wrong. And this again is the point where these technologies come into play. We need them to respond. And the quicker we, the more rapidly we know that something's going wrong, the faster we can react, and then we can improve. So we should try to really fix the, the holes wide first or attacks that's where the life cycle. So to speaks closing, because we have learned other stuff, we understand it. We can improve ourselves. And having said this, I think it becomes very clear that privilege management is an element of identity management, but both identity management and privilege management are very closely related to cybersecurity. So this is where all these things finally come together. And it also plays from our perspective, an important widely role in the breach and incident response we have to set up.
And if you look at a lot of the, the, the regulations these days, so in Germany for while we right now have the it seek Heights, cause it's C it security law, which says you have to, to, if you're in a critical industry, then you have to, to provide an breach notification within a very short period of time to government agency, etcetera. So there is a lot of things to do, and we need to understand, and again, here, it's not only about understanding about the challenges setting up controls, improving it, but also to have a crisis and incident management in place and to be able to, to mitigate our risks. So not only prevent, but detect and respondent a lot of what we did until now in our information security efforts for us about preventing user behavior analytics is about detecting and then allowing us to better respond.
This is where really this comes into play. So doing all this incident, handling, understanding that there are incidents analyzing them and reacting on these into detect and respond part on the upper side of the, the slide. This is really where, where this technology plays in a very important role where it helps fostering our security operation centers or cyber defense centers, whichever term you're using these days. So privilege management is evolving. And when I create a slide, then we have, on one hand, we have shared accounts and we have done all accounts for elevated privileges and accounts was elevated privileges. Also our subtract of, of other technology technologies, which are not privileged management, such as identity provisioning, such as governance enterprise singles. And on while we have for shared accounts, some very specific technologies, both for credential management of session access. But when we look at session run time, so, so far it was more the, for elevation management.
So for instance, restricting the use of certain commands in a UX or Linux shell. But right now beyond session monitoring the recording, as one of the trending topics, we really see this privileged user behavior analytics, as I would say that trending topic in privilege management. And so this will be basically the future and also privilege management. So when we look at this, I, sorry, I let's go through that because it was what I had before. And unfortunately I didn't translate it. Let's look at the changes. So what do we need to change? So for the, the threats, we need to look at the integration to cyber security. So we should understand privilege management at something which goes beyond for the deployment models. We need to support cloud, and we need to support managed service providers. We need to look at also the connected things and how can we protect them, particularly in the industrial IOT world, but also for the entire operational technology.
So all this data and ICS devices, the industrial control systems, we need to integrate with identity management and beyond. And we should look at audit features, one important element, and this evolution of privilege management from our perspective, maybe the most important element is bringing behavioral analytics into the play to get faster in understanding better in understanding faster and reacting once was that I hand over to mark, who will talk in the next part about, about his view on reducing risk user behavior analytics, and how to do this sub tips for reducing risk user behavior analytics markets, your term,
Hey, thanks, Martin. I thought that was a great introduction and overview as to what's going on in the privileged access world and, and where analytics fits in. And as you alluded to what I'm gonna walk through is a little bit about how we view the problem itself. So this, what is the core root root cause of, of what analytics can help bring to, to the privileged space? And then I wanna talk about some tips, things that we've noticed in helping customers get off the ground with advanced analytics and particularly with threat analytics in this space. So let's get started. So the problem as you laid out Martin, and I think correctly, so is that the bad guys are coming at the enterprise in different ways and they're attacking it, whether it's through the, the case in the RSA case where they've gone at it in a fishing attack and then elevated privileges against that, they come at it with malware, they come at it with all sorts of different attack modes and the challenge, I think in a lot of ways and the way when we take apart the problem and look at it and say, what's the root cause effect as to what the, what are they taking advantage of?
It's that the defenses that we've built out over the last 20 to 30 years are largely rules based systems. So the enterprise defense systems today, or to date have been very static. They rely on the fact that the administrators have the ability to lock down to the point where a user can't do anything dangerous with a set of rules or a set of pre configurations that boxes them in, in a way that they can't do anything. And I think we all know from a practical perspective, users have to have the ability to do things that arguably if they were a bad guy or they were malicious could do damage. I mean, it's just the nature of we have to give them access. So the challenge we face is bad. Guys have figured out that these static rules are there and that since the systems aren't watching the behavior and watching the activity over time, the enterprise can't detect when something changes and Martin, I think you pointed that out really well, that, you know, the fact that there's nothing there today to recognize that an account that before was doing X and Y is now doing a and B that's a real gap in the existing defenses.
And it's because the systems are really designed to be rules, enforcement systems, static policies. So that static nature is really the core issue. And fortunately, it's the place where analytics really has a great fit, but understanding a model. And I think in some ways, when we think about how do we solve the it model of how do we use analytics for an enterprise or a business? There's a question as to what's the model we're trying to emulate? What is this way that someone has used analytics in maybe a different format or a different form to solve a similar problem? And the fortunate part is that as consumers, we're all fairly familiar with the idea of a model that's incredibly powerful. And then that model is how credit card systems use analytics to stop bad guys and stop attackers. So, you know, that piece of plastic that EV probably everyone on this call has one or more of them in their pocket that we use every day now for buying things or, or, or, you know, doing business is protected, not because of the plastic, not because of the hologram on it or the mag Stripe information it's protected in large part from the big problems from the fact that the bank that issued you, that card is watching every transaction.
And it's watching every transaction, not by putting it in front of a human and not by running it against a static set of rules, but by using analytics that are figuring out over time, what's normal. For me, what's normal for Martin, what's normal for you. And then recognizing when there's deviations from that. So when is something highly inconsistent happening, when is something that mark is doing, looks like a bad guy. So when does he start to look more and more like something that I recognize as malicious? So that's a model really to think about. And it's got a lot of interesting parts of it that fit into the it world. So not only is it watching the transactions and watching access to something we care about, but it's detecting when a bad guy is doing something or in a, or a bad guy can be the actual card holder I gave the card to, or it could be someone who stole the card or the card information.
The last thing I'll say that's really important is there's an automated mitigation aspect to a credit card world. And we're all familiar with that, right? It's the concept of how do I get notified that something may be going on? We're asked to do something that we readily understand, whether that's call the credit card company or provide some secondary piece of information, like a zip code or something else in a certain payment mode. So there's an integrated mitigation capability. That's tied to those analytics and that mitigation mechanism is something that doesn't block the user completely from what's going on, but enables them the ability to proceed further. If they take action, it's a low friction type approach. And I think all of those things are really important when we think about how we're gonna take the credit card model and put it into the it world, cuz we want all the same functionalities.
We want usability. We want to encourage people to access system and use the data that we've given them. And, but we wanna be able to detect bad guys faster and better, no matter how organized they are and no matter how sophisticated they are so many ways the it world and the business world that's going online these days is in the same world that the credit card guys have been in for 25 to 30 years. And so emulating what they're doing has real power. Now a secondary aspect that I'll mention here is that CA is a leader in the online fraud business. So the work that we do at CA importing over this credit card model benefits from the fact that CA is a leader in doing fraud detection for banks globally in what's going on in the world and the way that we're learning from that.
And again, learning from both our it expertise and what we do and providing products like the CA Pam and SSO and advanced off capabilities is, is mapping that into the it world and making sure we do the right thing. So there's a whole bunch of things that are required to get an analytic solution like this working in the it world. And what we do is make sure that all of those elements are really packaged up and easy for folks to deploy. And we're gonna talk a little bit about these when I talk about the tips and things that you guys should think about when you're deploying advanced analytics and you're trying to get them to work in your world, but I think it starts with how do you get to the event information and how do you make use of it? So how do you get that information into the system?
That's gonna provide you your analytics and how do you derive out of that? The normalized views that are important. It's a critical issue that we believe is important to be integrated into the product itself and into the analytics solution. And then the second of course, is the analytics themselves. So what is this thing gonna learn? What is it gonna know based on what you feed it and having domain-specific expertise, having very focused view as to what you're doing with the analytics is incredibly important here because analytics is this fuzzy word, but it gets thrown around a lot in the security space, but what you and I want is a solution that says it's pulling out the right information and it's making sense about it. So it's, it's seeing the right characteristics and it's making the most use of those. So we're gonna talk a little bit about the analytics and, and the packaging and what goes into those and what you should look for and such.
The third part is what's the, what's the insight or what's the relationships that I learn over time. Now, this is really a new concept in the it world. We're gonna talk a little bit about this and what you should be gaining out of this from value, but think about it this way. You know, traditionally enterprise systems had looked again at rules have looked for, does an IP address match this, does this match that and very simple sort of static rules that are very brittle, but they're not really looking at relationships. So a new aspect of what analytics enables and what we'll be talking about is the power of what do I know and what can I tell if I can tell all of the things that Martin is associated with, what is he access? What devices has he used, where has he come from, et cetera.
So these relationships and the behaviors are important, both in recognizing it's a new insight for you, but also what are you gonna do with it? And, and how what's that power it gives you. And then the last step is again, that automated mitigations and then the automated mitigations world it's different than credit cards, right? So automated mitigations have to fit the use pattern and the threat that I'm after in the, in the it world or in the business world. So how do I integrate in mitigations that are really powerful and, and enable what you want, which is less work by the admins, less reliance on them and more effective detection and mitigation against the bad guys and, and using the power of your position as the system owners in what mitigations you wanna put in place is really important. So we'll talk about that and, and how that works, the benefit across the board, though, that's important to realize is it, it spans a spectrum of issues that you're really trying to get at.
So you have, if you look at the top here, you start with sort of the threats and the threats say I've got threats that are outsiders, meaning malicious attackers, who I don't know, and I didn't give them any privileged access. I didn't authorize them to access anything in my system. So they're coming at me in different ways in attacking me the second across the spectrum that I'll say that's of importance are the insiders. So we've got a series of issues these days in regards to we've provided users privileged access, but we don't trust them. So they're privileged but not trusted. So in many cases that might be overseas partners doing development for you. It could be remote sort of nomadic teams that you've brought into your environment to do things they can do, support people, partner, people, even customers that you've partnered with in a certain way to give them access to things, but they are privileged, but untrusted users and watching them particularly in the Pam environment is critically important.
And then the last on the right side of the spectrum of value is keeping in mind the fact that you wanna know more these days about what your system's being used for, because you are very often asked. It's very common that the identity and access management folks or the defenders are asked these days, you know, one part of the organization says, Hey, we're seeing this type of behavior, are you, it can be the general counsel's office. It can be the security operations center, but somebody comes in and says, we think something's going on here. Can you tell us about X, Y, and Z, or are you seeing that behavior on your system? And we believe that the faster you can answer those questions and the more insight you have into your systems, the more secure you ultimately are on the long run because you as a system administrator or a system operator, know that much more about what's going on and can see the anomalies can see the bad things happening quickly.
So I think that's a big thing and let's step into the tips themselves. And so I have five of these that I think are pretty important and what we've seen in helping people get a new analytics capability out into their environment and making it work. And the first is to start on a problem that's focused. And Martin alluded to the fact that privileged access is a great place to start with analytics because it's the target. And that's true. So I think the fact that attackers are really trying to get to the privileged access and get to that admins, get to the resources that only the admins or the administrators or the privileged users have access to. That's a critical reason to start there. But another reason to start there is Pam and the Pam system has the visibility that enables you to do the right things.
So it's, it's unlike other systems or other problem sets that you might go after, where you have to collect and touch a bunch of different systems to pull the information in, to see new things. So if you have to go out and read the DNS system or read your DHCP system or read from your firewalls and your IDs, think about the fact of all those touchpoints that you have to get to. And secondarily you have to pull them into a system and make sure that the information is being pulled out correctly so that it's being normalized correctly. So that mark is called mark in this system, and he is also called mark in that system. And if he's not, how do I map the two onto each other? The beauty of starting with the Pam system is, is that it's a choke point that gives you the visibility against something that you really care about.
And that a lot more information can be derived out of because you're watching that access and you're watching that activity already closely. So if you haven't deployed a Pam system, it's a great reason to do that. And secondarily, if you have a Pam system, the analytics gives you that much more power out of it. So it's a really good place to start using analytics and a great reason to use Pam if you haven't already. So I'd say stay focused and avoid what often folks will call boiling the ocean type problem. So don't get yourself into a problem where someone says, the more information you have, the more, you know, that's actually in many cases, analytics, analytics wise, not true. So what you're gonna, what you want is the information, that's the right information. And you wanna have analytics that are mining the data that you've got, but you don't want to create a problem for yourself where you're piling up too much data and you can't see the thing you care about inside of it.
So that's tip number one, I'd say, and we see folks all the time who are extremely happy when they start to realize that in the Pam world, they can get to what they want as opposed to going out and doing all that extra work. The second TIFF is to be very focused on the idea that analytics shouldn't be this black box. It should be something where that data that you're feeding into it is revealing things that you as a human understand. So as an analytics person, I'll tell you that what that's really called is transparency. So the term is transparent. And what it means is the thing that the machine pumps out at the end. So it takes in all this information, it runs it through algorithms and analytics. But at the end, what I wanna know is something that I can understand as a human, I don't wanna score.
That's just 72 out of a hundred. I wanna know they came from an unusual location. They accessed this thing in a way that they hadn't accessed it before they did this in a way that was unusual. And that insight is really important. And it really comes out of think of it as a multi-stage or a process internally where the events themselves, so each syslog event or each activity gets parsed out. And you recognize the who, what, where, when, how, but that's of a discrete event, what your analytics should be doing is looking over time and recognizing more sophisticated pieces of information or context. So what's average, what's normal. What's unusual is this the first time you've seen something, is this related, is this entity related to that entity? And then keeping that information in a way that it provides true value to you? And that's a big difference, right?
I'll point out that, as I said before, you know, that's a new aspect in the it world or in the data system, defense world is recognizing those relationships and not just looking at the pattern matching of the event when it first comes in. So learning that over time and learning context is incredibly important. And it's something you should look for in your analytics and what you're gonna do with analytics over time. The next is actually that it exposes that to you as a human. So think about the fact that what you want is the ability to drive into a system or drive into this information, to be able to drill down into a specific user activity and understand what they're doing or alternately looking across my system and recognizing the trends of risk. So what are the things that systemically I should care about so that I can drill into the high risk capabilities, and I can recognize users themselves that are posing high risk at any given time.
So that entity and those relationships, you should be able to pull out of those things that operationally enable you to have value that can be you as a human looking across the system and understanding it, or drilling down into specific identities themselves and recognizing the behaviors of what's going on. So exposing that to the human is incredibly important. And it's something that we believe is, is critical to the success of the overall analytic solution. Is that an administrator or a security investigator can quickly get to that information and make sense out of it. And then of course you have the, also the I'm running a system, I should know what's going on. So building into it, the ability to display to you, what are the trends? You know, how is my system being used at a broad level so that you can improve it over time, either for security reasons or just for the fact you want to get the most value out of it.
So we think those are all important in the operation side. So the fourth tip that I'm gonna talk about is making sure that the detection capability, and this is security guys, you know, this is the thing we think about the most is we're looking to detect things in a new way. And we're looking to detect these things that the static rules couldn't. So this is another aspect of how the entity relationship map is really important. So the fact that a new relationship or a new access mode is detected by itself may mean nothing. It may mean that the user has just started to use a new data source. What you really want to do is to look at all of the relationships and all of the trending that you're seeing, both for that user, but also for all the other users to see if this really stands out.
And that's how you start to get the signal out of the noise. So the entities and the relationships, what you don't want to do is turn it into a new sort of rule set that says, Hey, anytime this user gets a new device, I want to get an alert. That's something actually you wanna sort of look backwards on and say, well, really what I want is an analytic system that recognizes it's unusual for this person to get a new device or maybe of this device type. So you're looking for multiple things that are being triggered at once. Very similar to how a credit card works. These days, the credit card systems have gotten much more advanced on the aspect of, you know, they don't just trigger because you're traveling. They're actually looking for unusual things you're doing while you're traveling. So I know what a traveler looks like, and you're doing something that, that a traveler wouldn't do.
So like buying a TV while you are traveling to The Bahamas. Well, that would seem unusual. And so that's the type of thing that you want the analytics to really be able to do is to look across not just the individual, but look at the trending that you're seeing. And then only highlight to you the things that are really compelling and really different, because that's what the bad guy's gonna look like. The bad guy is not gonna emulate what a good person does or your legitimate identity. They're gonna look like something that's unusual. And that's what we're really fencing in here. And we're using analytics to keep the admins or the system defenders from having to write, elaborate sets of rules and keeping up with that. So incredibly important aspect that your threat detection base is not on just, you know, a single change, but looking across the context of the user and the population threat tip number five is about mitigations.
So there are different types of attacks. Remember we talked about the spectrum of attacks and attackers and, and what they're coming at you with. And what you wanna be aware of is the fact that there are certain cases where you may or may not wanna be alerting in the fact that you've recognized something is going wrong. And this is actually a big change from a credit card side versus a system side. So if you're an enterprise defender or a person who's looking at that real issue of insider threats, that response that you may take could be completely different than what you would try to do on a compromised account, a compromised account. You wanna stop and, and, and take action that you don't care how overt it is. You'll do that as fast as possible. If you believe it'll stop the bad guy. So whether it's forcing re authentication or really driving at that ability to raise up the, how do I shut that outside attacker off on the insider attack, you may very well wanna take, be alerted to it and become more aware of it, but you want to get deeper information about what they're doing, because you're gonna have to deal with how do you confront that person and how do you, how do you demonstrate that they were doing something that was truly bad?
So we take actions in, in our product where we actually trigger silent session recording. So, so as soon as we see something that looks like that, we'll start to record or do recording of those sessions and we'll do that based on risk. So it's an interesting way of getting at how do I collect the information and validate it, but without creating a hurdle for the admin on a lot of things that they have to review. So because we tag it with the risk, the admins only have to review the ones that are high risk in that way. So keeping in mind that the mitigations, maybe you wanna suit them to the type of threat that are coming at you. And then the second is you wanna look for mitigations that are appropriate for what your, what your users are doing in many cases. And increasingly these days, you want things that are invisible for legitimate users.
You want things that they view as low friction. So that re authentication the silent recordings, you know, enabling other workflows are important. So things that are invisible to the users are very important these days in, in bringing something to market and enabling it in your environment and making it work. I think we're all aware of the fact that if you bring out some system that suddenly forces users to go through things and do a lot of things to get to the, to the access or the data that they need to, that there's a lot of pushback on that. And there's a lot of, it creates a lot of work for both you and the customers. So what you're really trying to do is figure out just like the credit card guys do, how do you improve security, but at the same time, manage usability and maybe improve it. So there's a big aspect of that.
So I think that really walks through some of the top five things that when we are helping customers with, we see it as points of points that help them, help them get around what they were thinking about or get them to success faster. So an integrated solution that fits with the Pam environment that really gives them all the information they need front enables them to do. Analytics provides that context, both to the machines so they can make better decisions based on full context, but also to the administrators, so that they know more, they see more, they understand how their system's being used. And then the automated mitigations that are both usable and stop the bad guys. And that's what we see when we help customers and enterprises deploying analytics and user behavior analytics these days, and how really you get to success fast. So, so with that, I think Martin, I didn't know if you had any questions or if
Yes, thank you, mark, for your presentation. We right now move down into the Q and a session. So it's time to enter your questions. So if you have questions, please enter them. Now we have already a couple of questions here. And so I we'll start with some of these questions I already have here. One is, oh, I think this is an interesting one. Or what is the methodology for establishing a baseline of what normal use of behavior looks like or on one day it's everything normal. So, so basically I think the questions very much about establishing baselines and how do you do that to understand what is the sort of the anomaly,
Right. Well, so what we do is we have 50, almost 60. I think we have 58 analytics analytics features that we're looking at regarding each of the entities and the activities. So whether it's a user device, location and IP address, or the resources that you're accessing, what we do is we're constantly looking across these and then each of those different analytic features. So of the 50 of them, they each are think of them as each have their own data model and their own algorithm for how they look at something. So some of them are very complicated and based on Basian models and statistics, others are just recognizing baseline things like the first time we've seen something or the, the, the most, the most common time of the day that we've seen a user's activity. So all of those things, all of those features and functions add up to what the baseline is.
And that's an important thing. So your baseline initially, when you first start an analytics system of this start starts off with being able to recognize very simple things. And then over time, those more sophisticated models that are looking at averages, common regularity build up and then lock in. So the, the quick answer to that question is each of the analytics has a different timeframe that it looks at our system after roughly three weeks has a full baseline, meaning all of the analytics have locked in in general and know things like what's a common aspect. What's a common time of day for what a user, where an identity might be doing. What's the common type of resources that they're engaging with and how are they engaging with them? So it builds up over time. There's a value at day zero, not as a credit card company has value at day zero when you first use your card, but that value gets greater over a time period. And so it really locks in around three weeks to a month is where the baseline sets.
Okay. I think that's, well, this question, those are parts of your answer. If it will, to another question we have here. So how hard is this to deploy? So you said it sort of update, or it creates space line three weeks. So how much time does it take to, to create the base baseline, to do the tuning, the expertise? So what's the level of expertise required at the customer end,
Right? Well, that's one of the beauties of going after the Pam use case and what we've done. I think so we designed the system and we built in purpose specific algorithms and analytics. And in fact, it's all focused on the Pam use cases. So unlike trying to go to something that's boiling the ocean and trying to solve everything for everyone, by focusing in on the Pam solution, we have the ability of packaging up everything in a way that there is no, you don't have to have any information or skills regarding analytics, big data management statistics. Literally you install the product, which is a virtual machine. You configure it with your Pam system. So they're talking to each other and then it automatically will start ingesting information and doing the work. So there's no special effort it required in regards to tuning it or adjusting it that you might have with particularly I'll compare it to a SIM or a larger sort of trying to do everything for everyone type product. So our product, and what we believe in is it has to be really simple for folks because you have other things to do. And our job is to make the administrator and the offender's job as easy as possible. So that's what we do.
Okay. There's another question, maybe one I, I might take, but you might also comment on this as well. So could you provide an advice, but privacy aspect or data protection law aspect of using user behavior in Germany? So I, I'm another lawyer in account eventually twice clearly here, but I think it's worse to look at the current. Bundu a cause that's so the determined data protection law, and basically the, the law says that you are allowed to collect such data for defined purpose. So, so basically from a, from a law perspective, and it's about what your employees are doing, it's, it's basically allowed. And even GDPR, if you have a consent, wouldn't be in conflict. This is for externals. So, so from a law perspective, I think the bigger challenge might be the rock council, which frequently comes in, play into blame when it it's about discussing these things. And then I think it needs a very clearly defined and explained strategy about why are you using it to which extent are you using and all that stuff. And also sort of trying to, to have a very clear focus on what you collect, how you use it, and who's sort of involved and looking at the data and all that other stuff. Mark, do you want to add here?
I think you've hit all of the points straight on. So I, I am not a lawyer, but what I know from running the product and what we've built is exactly what you've said is that in, we have not come across a case where the law forbids the collection of the information and the use of it for a defined purpose and that, and more importantly, in some cases that define purposes security. So remember, that's our goal here, and that's really our, our primary focus, if not exclusive for most of our customers is I wanna secure my system. And so when you define the purpose as being enabling security, and that's all you use it for, and you get the right approvals or acknowledgements as Martin noted using it for security is I think everybody in the legal system recognizes, that's what we wanna do. We wanna protect the systems that we own and that our customers and users are accessing.
So we have not come across a case where collecting any of the pieces of information or refining it to know things, poses an issue in that way. But that is, I'll say the important part is, is recognizing that we're, the solution is not intended for, and, and we don't have any users who have ever tried to use it at this point for pumping this information out and then using it for other purposes, other than security. So, so that's a real clear thing that often cuts through a lot of the, the, the noise I'll say, or the, the friction that comes in quickly is the purpose is securing our systems and making them more trustworthy. Yeah. Not, not marketing to consumers, which is of course, one of the big reasons privacy is of a consumer.
Okay. Another question I here is machine learning is a term that I hear a lot so particular in the context of such technologies, what does it really mean? And, and how should I think about it? So give you the question to you. I have my view machine learning in that context as a, you just touched the term marketing as sometimes and term, which is overloaded by marketing, but interested in your precision on that.
So to me in the simplest way, the simplest way that I think about machine learning is machine learning is that the computer learns things over time. I mean, it's really that simple. It gets thrown around and mixed up with things like AI or artificial intelligence, and of course algorithms, which are just fundamental, basic things, right. But machine learning is the machine learns something based on what it's seeing over time. So it's not a trigger or a simple rule. It's something like what's the average, what's the normal operating locations for Martin. What's the, what's the average number of devices that a user owns or uses in a given enterprise it's things that are arguably learned by watching not a single event, but watching something over time or learning it. And to me, that's all machine learning is you get some very sophisticated algorithms. Like I said, you know, we look at a lot of under the covers, a lot of whether it's support vectors or grouping things up and clustering them and figuring out statistics about those things. But the thing from a basic perspective is it's that the machine is doing that work. And you as the admin aren't
That's what machine learning is. So
I, I would fully agree and I think an important aspect there, and this, it learns over time. So machine learning is, is great. If, if you have use cases such as understanding the normal behavior over time, it's nothing which helps you immediately, but them, it can be very positive thing. Yes. So I would agree. I have one other question here at that point. So if there are other questions, please end them now. So is there a way to use this use behavior analytics to protect the cloud and SaaS assets?
Yeah. Oh, that's a great question. So, you know, one of the things that our Pam system does is enable you to protect cloud assets and SaaS resources. So if you're, if you're putting things up into the Amazon AWS world, or you're supporting SaaS environments, and you wanna protect that privileged access, our analytics will work right against that the same way. So the beauty of the CA privileged access management solution is that it enables the enterprise or business owner to protect those resources and how the privileged access is going at them. And the fact is, is that the, the threat analytics capability we'll watch all of that activity right through that same Porwal. So it's, it's a win-win right. So if you're starting to do that and put your resources up there, the CA Pam and threat analytics for Pam will really, really help you out there and that highly exposed asset.
Okay. Thank you, mark, for that answer. Thank you very much for your presentation. Thank you very much to all the attendees for listening to this and call webinar. Hope to have you soon again, in another call webinar, or see you at one of our upcoming events. Thank you.
Thank you, Martin.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Panel | Why Access Management Is About Managing Risk

Webinar Recording

A Comprehensive Approach to Solving SaaS Complexity

As businesses adopt cloud-based services as part of digital transformation programs to enable flexible working, boost productivity, and increase business agility to remain competitive, many IT and security teams are finding it challenging to gain oversight and control over the multitude of…

Webinar Recording

Effective Identity Access Governance in Hybrid SAP Environments

Increased cyber threats and regulatory requirements for privacy and security make staying on top of user roles and access rights in hybrid IT environments more important and challenging than ever, which means it’s important to understand the real risks and how to mitigate them…

Analyst Chat

Analyst Chat #109: From IT GRC to Integrated Risk Management Platforms

The three biggest threats to business resilience are IT Risk, Compliance Risk, and Vendor Risk. Integrated Risk Management Platforms address these risks. KuppingerCole's Lead Analyst Paul Fisher has analyzed this market segment recently and he joins Matthias to talk about recent…

Webinar Recording

Combatting Fraud Proactively With Behavioral Biometrics

Digital businesses are facing an increasing onslaught of fraud enabled by malware, social engineering, and other cyber criminal activities. Strong authentication is essential, especially in the context of PSD2, but it can be challenging to achieve without adding friction to the user…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00