Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Beyond just monitoring IAM activity (e.g., successful or failed logins, account lockouts, etc.), many other IAM-related events and activities can be logged and monitored to help alert you to malicious activity. While identity threat detection and response
(ITDR) is a new category of solutions centered around this capability, anyone with an existing SIEM can add some additional alerts and monitoring to help identify these potential threats and actors.
This piece explains the importance of normalizing IAM data, suggests some key IAM events to log/monitor and recommends ways to ease the process.
ITDR is an emerging capability in the security monitoring and zero trust space. It is an extension of existing SIEM and security monitoring capabilities specifically focused on identity events and possible account compromise. While ITDR products can provide
a jumpstart toward monitoring and detecting IAM-based threats, organizations can also instrument their SIEM to provide similar capability; although, it requires staff with the right expertise and bandwidth.
The first major challenge when starting to look at ITDR and SIEM analysis of IAM logs and activity is normalizing logs and data across multiple disparate applications and infrastructure. For example, Windows logs may use the format of firstname.lastname@example.org
for an authenticator, while web applications and infrastructure (e.g., firewalls) use just “user.” To get actionable data and analyze it across data sources, you must use a common format and identifier for IAM data. This can be provided
through lookups or other web services by the main identity warehouse, such as AD or your identity governance administration platform, etc., and should be referenced as part of the normal log aggregation and normalization process.
READ: When to Consider a New IAM Solution
A wealth of contextual and event driven IAM data can be used to alert the security team about potential breach activity. Some key metrics and data to consider include:
Financial institutions have great risk departments and capabilities that can be leveraged with IAM monitoring and response. As an integration point, check with your risk management and transactional security group to see what they monitor that might help
with your IAM monitoring. If the risk management group finds anomalous and/or risky transactions, this can provide alerts to the team of possible account misuse or account compromise.
Monitoring for and alerting on anomalous IAM activities, beyond simple authentication-level events, can go a long way toward thwarting common identity-based attacks. To improve your chances of success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.