Identity sensors: using IAM focussed honeypots to enhance security

Darran Rolls discusses proactive IAM techniques organisations can use to stay protected

Darran Rolls, CTO, SailPoint
Darran Rolls, CTO, SailPoint

Employee trust is a subject ingrained in the minds of security professionals around the globe. While we often don't like to think it, the insider threat is very real. We constantly read about workers either deliberately or inadvertently contributing to acts of theft, fraud and sabotage. This is a constant theme confirmed in SailPoint's most recent Market Pulse Survey.

In the survey of 1,000 office workers, one quarter of employees admitted they would share sensitive information outside their company. Given this very real threat, organisations must begin to implement secure measures and internal controls to reduce the probability of these insider attacks occurring. But what options are out there and what is the best approach to take to limit these threats?

One option is to enhance your overall identity and access management environment with the use of identity sensors – basically IAM-focused honeypots used to detect and remediate misuse and inappropriate behaviour. IAM sensors are a new twist on how we think about identity controls and are based on two very simple, but effective, new detection capabilities: “Account Honeypots” and “File and folder tripwires.”

Getting drawn to an account honeypot

Account honeypots are like general purpose “server” honeypots, but applied to the account and entitlement space. In essence, these new detection points are quite simply fake accounts, with pre-set login alerts, and deliberately weak passwords, that are automatically created and managed by the IAM infrastructure. The idea is to create juicy looking target accounts at the application and infrastructure layers. Then when a bad guy tries to pawn one of these accounts, alarm bells go off. This can help catch internal reconnaissance and inappropriate behaviour, as it happens.

Tripping up the internal attacker

File and folder tripwires are essentially fake files and folders with appealing names and content, with pre-set access alerts spread out over the cloud and on-prem file shares.

When the bad guys open what looks like a good-looking target file, someone in the security operations centre gets a notification. This creates some interesting new detection endpoints in some very key areas of weakness for most companies.

It is worth noting that all ‘honeypot' approaches are not guaranteed to catch internal or external hackers before any harm is inflicted. However, as part of an offensive security stance, it is one of the most effective opportunities companies will have to clamp down on internal data theft.

Is trapping your employees ethical?

It is clear that with the threat levels organisations are experiencing, even within their own walls, urgent action is required if private corporate assets are to remain just that.

However, essentially trapping your colleagues may be deemed unethical in some cases. To what lengths should employers go to detect internal fraud?

In favour of honeypots: Most companies admit that they can only detect a fraction of all fraud cases, and when fraud is detected, it's usually too late. For this reason, an early warning system to detect potential fraud is a positive step forward. If employees are prowling around trying to access seemingly “sensitive” systems, businesses will want to know about it – before damage is done.

Against honeypots: It's easy to paper over the cracks but if by adopting a honeypot approach, are organisations creating an entrapment model that is deceptive and ethically questionable?  When a curious employee falls into one of these traps, it's not always fair to assume criminal intent. It can and will often turn out to be totally harmless. Perhaps a bigger issue is the legality of monitoring employee activity. In places with strict privacy laws, such monitoring is illegal, and even in countries where it is allowed, it has to be part of company policy that is clearly spelled out to all workers.

Focusing on the critical assets

Companies should really begin to focus their energies on proactively protecting critical business assets. Any form of enhanced IAM sensor monitoring needs to operate in concert with a range of preventive and detective controls including: limiting user access to what is absolutely required to perform a given job; limiting the use of shared or privileged accounts; and requiring the regular review of all access privileges. If and when an organisation does choose to adopt a proactive approach to IAM sensors, they should treat them as additional tools in an overall security strategy that includes effective identity and access governance controls.

Contributed by Darran Rolls, CTO, SailPoint