“I KEEP six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.”
As I look at the sorts of problems that even the largest, most mature organizations are dealing with, many times I see consistent themes emerging. One of the thornier problems, and I alluded to this in my last post, is the challenge of figuring out who is who.
Such a lot of time, expense, and effort has been sunk into the problem of collecting information about the "what" of security. What is happening? What changes are taking place? What is the status of this system?
Here's the problem – getting a long list of "whats" really doesn't tell you that much, unless it's paired with the who".
Let me give you an example:
User A logs in to the system and makes a bunch of changes.
User B logs in to a different system and starts to run some applications.
The problem? What if they are both the same guy? What if, in fact, they are the same guy who, right now, is supposed to be sunning himself on the beaches of Acapulco? So is Bill putting in a little overtime or is someone using his account to get up to shenanigans?
Businesses already struggle to manage identity and many are struggling just as much (maybe even more) to implement comprehensive, organization-wide identity management frameworks. In the absence of some way to figure out who is doing what (I promise, no Abbott and Costello references this time), gaps in the ability to identify threats emerge.
One of the classic examples of a problem in the making is the service account that suddenly starts to access applications or data that it shouldn't. Another is the user logging in from two different remote sites at the same time. Understanding who is doing what has become both the cornerstone of good security and the Achilles' heel of so many security programs.
Correlation of identity, event, and data is going to provide the most direct route to identifying threats before significant damage is done, but subtracting any one of those reduces the significance of security information so much that I would question its value at all.
While management of the entire user base is going to remain a challenge for some time to come, I think organizations are putting some real effort into driving controls of the privileged user population. Data-centric security is essential to protecting organizational assets and reducing the impact of a breach, but user-centric security controls are every bit as important, because answering the 'who' drives so much of the value of the 'what', the 'where' and all the other W's (and the H).