How to enforce real-time controls based on behavior risk scoring
For decades, the traditional approach to securing digital assets has been based on using a primary set of credentials, namely a username and password. This binary model – a user supplies his/her credentials and they are allowed into the network, application, etc. – has run its course.
Everyone knows this, especially cybercriminals. Using stolen credentials is obviously much easier than trying to break into a network or application by circumventing layers of security controls. In fact, fraudsters no longer even have to steal them. According to one report, more than 15 billion account credentials are for sale on cybercrime forums, with 5 billion of them considered unique, meaning that they haven’t been offered for sale more than once.
Meanwhile, multi-factor authentication only introduces an additional layer of complexity to the authentication process. This increased friction is keeping adoption rates low. According to DataProt, only 26% of companies use multifactor authentication. Because MFA creates a poor digital experience, users are avoiding it.
But there’s a better way. Applying machine learning models against data sources in real time can differentiate customers and internal users based on behavioral attributes at a very granular level. When this output is used with an orchestration or workflow engine like an identity and access management platform for provisioning/deprovisioning, data loss prevention, cloud access security broker, etc., it can enforce an action such as prevent, allow, limit or monitor access in response to specific behavior patterns. This ML-powered behavior-based orchestration and real time policy enforcement has come to be known as model-driven security.
How it works
Contrary to popular perception, model-driven security does not require advanced artificial intelligence and is accessible to most organizations. In fact, the financial sector has been using machine learning in their processing systems for years.
The concept is straightforward: a pattern of behavior is represented mathematically and used as a baseline for comparison against real time behavior; this calculation will generate a deviation or risk score; and based on the risk level of any deviations, remediation action can be taken such as to revoke access.
Here’s an example of how to implement model-driven security.
First, a system captures independent behavioral attributes such as location, time of use, commonly used applications, and more. Next the pattern of behavior for each specific attribute is represented as an algorithm (i.e., mathematical representation of an event). This creates a baseline for comparison against real-time attribute data that occurs during a web or mobile session. Any deviation of behavior for each attribute at a given point in time produces a risk score.
By combining the risk (deviation) scores from multiple attributes into a single aggregated risk score, a confidence level is generated. This can be continuously fed to an application, in real time. When the confidence level exceeds predetermined thresholds, an automated response can be invoked. For example, if the confidence level is high, then full access to the site or app is allowed. If the confidence level exceeds the threshold, access is restricted.
Model-driven security provides substantial benefits. Since it virtually eliminates authentication events, the user experience becomes frictionless and password reset/help desk costs go down. Finally, security is improved.
However, implementing model-driven security is not without its challenges. Making the transition will take time, especially for organizations that have hundreds of internal and external apps. Nevertheless, the advantages are too great to ignore. With early adopters leading the way, it’s only a matter of time before model-driven security makes passwords obsolete for good.