Leveraging Identity Data in Cyber Attack Detection and Response
As organizations break away from traditional network-based security concepts, where zones are delegated “trusted” or “untrusted,” to people-centric security models like Zero Trust, identity is becoming intrinsically linked to security. In fact, identity data can help security teams determine whether users or organizations are being subject to a cyber attack. This whitepaper will outline what and how identity data can be used as an indicator of a cyber attack, as well as ways to respond to incidents using Identity and Access Management (IAM) systems.
Identity Data Sources
Identity data can be broadly broken down into two main categories: 1. data associated with a user and 2. data associated with the identity and access management (IAM) system itself. Both types of data can be leveraged in the detection and investigation of cyber incidents.
User Activity
User data that is tracked and logged by IAM providers give a detailed view of each user’s activity. Applications accessed, time of access, login attempts, and location or IP address of login are some of the information typically tracked by identity providers. By understanding how users typically work, security teams can discover suspicious user activity.
Suspicious user activities to look for can include:
- Access to applications the user typically does not access
- Password changes or resets
- Changes to or removal of multi-factor authentication (MFA) factors. For example, removing MFA requirements, changes to security question answers, or changing the phone number for SMS-based MFA challenges
- Multiple failed login attempts or account lockouts
The challenge of monitoring user data, however, is the amount of data. Each