Most of us have implemented SIEM as well as identity and access management technologies. But are they talking to each other?
I’ve heard “Well, our 2-factor authentication system only allows connections that are strongly authenticated, so what’s the point of feeding that data to our SIEM?”
There’s actually a lot of value in the activity of authentication and identity management solutions if you can get it out of those systems and into your SIEM to correlate with the rest of your security events and information. This is especially true as authentication and identity systems are becoming more sophisticated. Modern identity systems take into account many dynamic risk factors like:
• Geo-location
• User velocity
• Recognized client device
• Usage schedule patterns
• Human presence
All of this means that events coming out of these systems represent much more information about risk dynamics that provide SOC analysts with context when evaluating downstream events produced by whatever systems and applications the user accesses after being authenticated.
In this “real-training for free” event, we will look at the event information generated by access management and authentication technologies and how that data can be leveraged once it’s in your SIEM.
As a specific example, we’ll examine the events currently generated by our sponsor’s, RSA, identity and access management technology. You’ll see how their syslog feed of events for successful or failed authentication includes valuable data about that particular event such as the authentication method attempted, whether a token code with PIN or password authentication for emergency access. Those are just a couple of events, but think how useful it would be for a SOC analyst investigating some alert about an abnormal amount of data being downloaded by Bob, to know that Bob had authenticated successfully but only by using emergency password access from a previously unknown device.
Getting data like this into your SIEM is so much better than expecting SOC analysts to swivel to other information silos and hunt around for important contextual information like this. Analysts don’t have the time or mental energy to do that. However, getting all your security data (including identity and access events) into one place does more than save the SOC analyst from going to another system, it also creates the opportunity to do more automated and more sophisticated threat hunting, and ultimately to reduce the risk of a breach.
Please join me for this real training for free session.