Working Smarter: Use Machine Learning to Merge IAM and SIEM

Written by

Innovation in business IT systems never stands still. New technologies constantly emerge as organizations seek to modernize and improve business systems, but this constant change has a price. Every alteration and new system added widens the attack surface giving hackers new ways of compromising business-critical data.

It stands to reason, then, that security teams need to respond by adding new layers of security, giving them more eyes to see potential hackers. In an effort to identify potential risks, the Security Operations Centre (SOC) casts as wide a net as possible, but this can result in teams being flooded with alerts; many of which are false positives.

According to ESG research, 42% of cybersecurity professionals say their organization ignores a significant number of security alerts because they can’t keep up with the volume. It’s clear that in an evolving threat landscape, swamped security teams need to find a way to focus on the alerts that actually matter to the business and clear out the clutter.

Combining threat intel from people and PCs
Identity and Access Management (IAM) and Security Information and Event Management (SIEM) systems can give organizations the insight and clarity they so desperately need. Between them, SIEM and IAM can give visibility on everything.

From traditional logs to packet, network and endpoint visibility on the SIEM side; through to contextual information, such as user location, login times, usage habits and login history on the IAM side. By combining these two sources, organizations can generate a much clearer picture of what’s going on throughout their IT landscape. 

SIEM and IAM data is vital when examining a potential threat; it can be stitched together quickly and easily using machine learning, and used as a ‘litmus test’ so organizations can quickly assess if an action is out of the ordinary.

In other words, by comparing an action against the vast amount of data on regular activity collected by IAM and SIEM solutions, it’s much easier to have an idea of what ‘normal’ should look like. Conversely, when unusual activity is spotted, it can be assessed against all of the available data immediately, instead of going straight up to the SOC team to review. Any anomalies can then get flagged. 

For example, if a user fails a login once on a Monday morning from their home or work, it’s more likely to be a human error, and presents a relatively low risk. There’s no need to flag this to the security team, but this information should be logged and accessible for later analysis. If this is happening on a Wednesday afternoon, and multiple attempts are being made from an unregistered machine that’s hundreds of miles away, each factor increases the risk.

If one risky activity is logged, a machine may simply add an additional step in authentication – such as asking the user for a fingerprint scan from their phone. However, if multiple risky behaviors are spotted, the machine should send the alert up to the security team immediately. 

Using machine learning and automation to share the load
Creating the intelligence to distinguish good behavior from bad will require IAM solutions to ingest and analyze vast volumes and varieties of user-related data. With a centralized model, a business-driven IAM framework provides a rich context to determine a user’s validity, moving beyond accounts to capture entitlements, roles, job functions, business policies, and the dependencies among them.

The ability to share this broader context extends security functions beyond simply identity management, to management of the entire identity lifecycle. This enables a quick determination into what is normal access, and what is inappropriate and potentially risky access. 

The growing use of mobile devices and cloud-based applications creates an even bigger challenge in managing identities. A business-driven IAM model brings these devices and users under a unified view to enrich user profiles and enhance behavior modelling.

While it can’t be relied upon as the be-all and end-all of IT security, machine learning and automation is incredibly useful as a tool to help separate the wheat from the chaff. If given the right data, smart systems can focus on the ‘small stuff’, using intelligent automation to give context to user interactions and spot anomalies across the network. This helps to filter alerts before they come up to the SOC team, leaving them to deal with urgent or complex threats. 

Adopting a business-driven security approach
This contextual information is effective at filtering out simple alerts, however, it is just the first step. The bigger challenge is being able to interpret and manage this data in a way that doesn’t just identify security risks, but prioritizes them based on how meaningful each risk is for the business.

This kind of business-driven security approach is essential; it ensures that when a high-impact event such as a breach occurs, security teams are immediately notified, can share the business impact of the breach with the board, and can react swiftly.

As machine learning becomes more advanced, eventually this process will become more automated – giving security teams the time and resources to tackle more complex threats, and the ability to communicate with key business stakeholders quickly and clearly.

Ultimately, organizations should be aiming to create an ‘identity assurance engine’; a platform where SIEM and IAM data is fed into a single system that’s tuned to what matters to the business, automatically filtering out low-risk alerts and pushing up alerts that could be critical to key operations or processes. This will ensure high-risk alerts jump to the front of the queue, so that security professionals have a complete picture of an event, and can easily see how this links back to a risk for the business.

Context is king
It’s not about working harder, it’s about working smarter. By combining SIEM and IAM data, and putting this into business context, alerts can be filtered, prioritized and reduced to ease the burden of security pros. This business-driven approach to security will ensure SOC teams can make more informed security decisions and, ultimately, keep their organization’s data safe.

What’s hot on Infosecurity Magazine?