Using SIEM and Identity to Protect Against Data Breaches

“We are what we repeatedly do“ is a common paraphrase of Aristotle—though if he were around today, his sentiment might be more like “we are what we search, click, or connect to.” As security professionals well know, there’s a lot to learn from how we use technology.

The interactions between users, applications, networks, devices, and APIs all provide useful security information, and by collecting and analyzing this data, companies can identify threats and respond proactively. The problem? These interactions add up quickly. And, while every data point is valuable, the sheer amount of data that companies need to collect and analyze can be overwhelming. On the flip side, it may not be individual data points that are interesting, but combined trends or general direction of data that holds the insight. This is where security information and event management (SIEM) solutions come in.

How do SIEM tools work?

The core functions of SIEM software can be broken up into the following elements:

  • Log management and reporting SIEM solutions collect and store event information across hardware and software. Examples include VPNs, firewalls, anti-virus software, and identity and access management solutions. Basically, almost any system that produces logs can be ingested and managed by a SIEM. SIEM solutions also reformat data so that it is consistent and easy to manipulate and analyze across your IT environment.
  • Correlations and analytics This component ties together logged events to identify patterns and correlations. One example might be the notation of multiple failed logins from the same IP address, across a single organization. Admins can also set correlation rules that trigger alerts, such as a certain number of failed login attempts from an IP within a given timeframe.
  • Alerts Triggered events or security incidents can be instantly reported through dashboard updates and/or email and text alerts. Some SIEMs can also implement or integrate with workflow processes to facilitate responses to certain alerts.
  • Data presentation SIEM solutions are able to present the data they’ve gathered in visual formats that make security insights easy for IT and Security teams to understand and act on.
  • Threat intelligence Organizations can use SIEM solutions to ingest various threat intelligence feeds, including that of identity providers and third-party sources. Many organizations rely on multiple feeds, especially those specialized in different areas, to increase their chances of detecting risky events.

These security capabilities from SIEMs can enable organizations to better protect themselves against data breaches.

Turning data into defense

The new normal is that the traditional security perimeter has collapsed, threats evolve at an incredible rate, and IT security teams need to work with heaps of data—making SIEM software invaluable. In particular, it can be used as part of a Zero Trust strategy, an approach we strongly recommend.

Zero Trust instructs companies to distrust every user, device, network, and workload, by default. It also suggests that organizations implement multiple layers of security to protect their data and systems. However, the more defensive systems you deploy, the more data IT security teams have to deal with. Adopting contextual access through a solution like Adaptive MFA is crucial to a good Zero Trust approach, but the data it creates needs to be managed effectively and used proactively to prevent data breaches. Companies can use SIEM solutions to do this—to monitor and analyze users, devices, and networks for greater insight into potential threats. SIEMs can help parse through the enormous amount of data generated even by a single source, like an identity solution, to surface unusual activity that may indicate a compromise or breach.

SIEM aggregates data from multiple sources, like Okta Single Sign-On (SSO) logins and physical badge logins, and presents the analysis visually, meaning IT can easily grasp insights and take appropriate actions. For example, an employee SSO login attempt that originates in Virginia is followed by a physical badge scan for the same worker in California. This is clearly a suspicious event, even if that employee’s address is based in Virginia.

Additional context from SIEMs can also help reduce noise and false positives. For example, multiple password resets can indicate suspicious activity. And the typical “appropriate action” may be to alert on that activity. However, correlation of login or password reset time with physical badge scan times can indicate an employee was in the corporate building while performing password resets, a low risk activity. So the actual “appropriate” action in this case may be to do nothing, whereas firing an alert would have resulted in a false positive and additional noise.

Enhancing SIEM with identity-driven security

As the bridge that connects users with data, an identity provider like Okta is perfectly positioned to deliver identity-driven security. SSO, Adaptive MFA and API Access Management can be used to gain insight into how, when, and where a company’s data is being accessed, not to mention who is doing the accessing.

Okta offers various ways for companies to leverage Okta data within third-party SIEM solutions. Using Okta APIs, organizations can leverage Okta’s identity and access data and use SIEM tools to look for suspicious access events. And while Okta also offers centralized reporting to log incidents and events that occur in real-time, many organizations choose to export Okta data into their SIEM for easier searching and correlation with other data sources across their IT environment.

In fact, by leveraging the power of the Okta Integration Network, organizations can take advantage of pre-built integrations with the leading SIEM vendors, including Splunk, IBM QRadar, Exabeam and many more. Now it’s easier than ever to deliver identity-driven security to truly protect against data breaches.

Sometimes data feels like a sword in a stone: powerful but difficult to extract and optimize. Security teams may have users’ authentication data on their side, but collecting and analyzing it across various touchpoints is a different story, let alone digesting it all quickly and responsively. With SIEM software, organizations can rise to the challenge, especially when they combine it with an IAM solution that gives it all the data it needs. Data is the best defense—the coupling of SIEM and Okta also make it easy.

Check out our infographic on how identity data and SIEMs can help protect against data breaches, then read on to redefine your security with modern identity.