Gartner conference: Integrate IAM and SIEM to prevent APTs
Gartner conference: Integrate IAM and SIEM to prevent APTs

Properly integrated identity and access management (IAM) and security incident and event management (SIEM) can assist in combating modern targeted attacks, as well as doing the traditional functions.

Speaking at the Gartner IAM conference in London, Gartner research managing vice president Mark Nicolett said that while the threat of self-propagating has come back, security is driving IAM and user activity monitoring.

He said: “The whole point of that malware is to compromise accounts to steal data. One example is individuals in mid-sized businesses with access to cash accounts were targeted with a 'business' email. That sequence followed and [the criminals] waited until as many accounts were compromised as possible and the criminals drained them and until they realised, 160 companies were hit and the money was not touchable. In that case it was not intellectual property, just cash in the bank.”

Nicolett said that the lessons from ten or 11 years ago still matter – protecting the perimeter to narrow the surface of attack, management of and fixing vulnerabilities to be more resilient to attack. “Some attackers are opportunistic and if they find a soft environment and hit the roadblocks, they will try and find a softer target, so there is value in hardening the perimeter,” he said.

“Some systems can only take it so far. They need to be good at early detection and this is an area we are particularly bad at.”

He also quoted the Verizon 2012 data breach investigation report, which said that 80 per cent of breaches were due to this cause, so there is a 20 per cent success rate to improve on in this area.

He said: “A targeted attack can take a week or more to unfold as the attacker figures out a way to find to take the data, so we need to monitor user activity, application activity, data access and device access, also profiling and anomaly detection.

“If you deploy SIEM you need people who know databases, networks and Active Directory, as you need to ready your event sources and know your deployments to spot anomalies.”

Asking the audience of 26 people if they had deployed SIEM, around half raised their hand, while only one had integrated IAM with SIEM. He said that the correct technology should do 'specialised threat detection', including: threat intelligence; be good at recognising targeted malicious code; and recognise advanced threat communications.

Gartner predicted that by 2016, 30 per cent of SIEM deployments will have an IAM integration in addition to Active Directory. “Many SIEM vendors are improving their IAM integration,” Nicolett said.

“It is complex as you need log management and SIEM deployed first before you deploy anything. You can use SIEM for change detection, to know what has been authorised. Reporting on exceptions, database auditing, privileged user monitoring, rules-based correlation – but if it doesn't tell you about new types of attacks, that is where you need anomaly detection.”