What’s the Key Enabler for Security Incident Response?

A modern Security Incident Response solution is a system of interconnected components working together to identify known and unknown threats and to prevent or limit the damage done by those threats. The method for addressing those threats loosely follows the NIST Cybersecurity Framework Functions – Identify, Protect, Detect, Respond, and Recover. For each function, identity and access management (IAM) plays a key role in keeping technology resources and data secure.

Identify – As part of this function, applications and resources need to be cataloged and prioritized, and this information can be the basis for the entitlement catalog in IAM. Risk Assessment considers the business criticality of applications and establishes how high-risk resources and accounts will be managed. In IAM, access to highrisk resources may require additional approvals. Privileged accounts may require enhanced monitoring or more frequent certifications.

Protect – Access Control is a category of the Protect function, and it aligns with core objectives of IAM: manage identities and credentials, assure that access is authorized and appropriate, grant only the access necessary to perform one’s work (least privileged access), and enforce separation of-duties to avoid conflicts of interest. The Data Security category provides a compelling use case for Data Access Governance, especially data at rest, and sensitive data stored in files.

Detect – Modern detection solutions compare observed activities against a collection of “normal” activity for the affected endpoint or resource. IAM data can be used to enrich observed data and help determine what should be done. If an offsite Admin, for example, is attempting to access a financial application, the IAM platform can provide data showing that the Admin is not authorized for access, even in cases where the governing directory service was altered to grant access. In this case, a Security Incident Response ticket would be raised immediately.

Respond – IAM enhances the Analysis category of the response function by providing data about an account or an individual related to a security event. Does the account belong to an active user who has authorized access to the resource in question? What other accounts does that user have access to, and what other data could be compromised? Recover – The Improvements category for the Recover function often calls for additional checkpoints and approvals to ensure that all access is authorized, appropriate, and is removed when it is no longer needed. This is a core function of IAM, and vital to the security posture of any company

Read this article and others in the Identity Insider magazine.


Discussion