The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's ever-evolving threat landscape, implementing preventive countermeasures in a multilayered fashion is vital. Right now the so-called Endpoint detection and response (EDR) market is going through its biggest transformation ever, driven by innovation.

 

Systems are not without faults—risk-free environments simply do not exist. Incidents do occur, and when they do—not if—it is vital to quickly detect and respond to limit the negative effects that the incident has on the classic CIA triad—i.e., no longer being able to guarantee the confidentiality, integrity, or availability of the data. Historically EDR was created to provide this ring of defence for systems, providing coverage of endpoints in cyber attacks.

When EDR first came, tracing the root cause of incidents occurring on the endpoints was suddenly made easier. This new approach to endpoint security meant security professionals now had a tool that increased their visibility and helped them respond to threats in a fast manner. The information gathered from monitoring the endpoints got recorded and stored on a centralized repository and detection, correlation, and remediation done in a mostly manual fashion became a thing of the past.

 

Additionally, given the growing skill gap in the security industry, EDR became critical for advanced protection—the effectiveness and efficiency of threat investigation has increased and we have been awarded with a deeper understanding of activities and events taking place on the endpoints, all thanks to the machine-driven technology that powers EDR.

EDR suffers from lack of full visibility into your environment but gives visibility to the actions attackers are taking on your endpoints, and offers some form of control to what is possible to carry out from there. An obvious evolution of EDR is to extend beyond the endpoint which is why there is a justifiable reason to declare EDR dead. 

 

By its very definition, EDR focuses only on endpoints, which is necessary but not enough. Take email as an example: It is the number one threat vector and data collected from this source—and what effectively is a silo—is key to determine the origin of a threat, and subsequently the scope and impact of it. There is an argument to be made that detection and response is needed beyond the endpoint and across multiple layers. Collecting and analyzing data in silos with no shared context between them simply does not provide the visibility needed to uncover the root cause of an incident. For starters, there are many endpoints you may not have visibility of or can manage. IoT devices are a good example of this—devices that more often than not are inherently insecure with security bolted on as an afterthought. Several other threat vectors exist, and by adding the capability to consume data and view contextual alerts from, e.g., email and the network itself, observations across silos are turned into valuable insights. This is where Extended Detection and Response (XDR) comes into play.

 

The ability to do detection and response across a wider range of threat vectors, such as email, endpoint, server, cloud workloads, and network, preferably via a single platform, greatly enhances the possibility to trace threats back to their source. Other key benefits of XDR include reduced time to detect threats and more effective analysis, which ultimately helps the security team in their threat investigation and mitigation work.

Modern XDR platforms are designed to aid security teams to be more effective and to efficiently 

 

• Identify the more sophisticated cyber security threats that often are shrouded in obscurity

• Offer a large degree of automation

• Detect and respond with mitigative actions at a fast pace

• Track threats across multiple systems

 

As XDR tools are becoming increasingly available, vendors are continuously working on extending their ability to correlate and analyze data across multiple threat vectors. It is no longer just about the endpoint—the greater the knowledge base, the greater your chances are at keeping the attackers at bay.

In a few of CapGemini and TrendMicro joint projects I recently was involved in, it struck me that in order to keep at bay with the more sophisticated threats organizations are faced with, it's evident that enterprises need to change their detect and response processes and technologies to mitigate the risk of being compromised. Traditional solutions are limited as they fail providing the scale and flexibility contemporary organizations require to tackle their adversaries. Are you facing the same type of challenges outlined above, feel free to reach out to me for a deeper discussion on how to address them. 

How Running IGA Natively on an ITSM Platform Supports a Culture of Compliance

In my previous two posts, I addressed the many challenges of governance for today’s enterprises – but also the opportunities that are available and presented when leveraging cloud-based ITSM platforms to support governance and compliance initiatives. 

The goal of this third post is to describe what’s possible when enterprises take things a step further, not just by putting governance and compliance on these cloud platforms but by embedding governance and compliance into an ITSM strategy.

For today’s enterprises, it just makes sense to bring governance and ITSM together. That’s because there’s a clear relationship between every service that an employee can (and cannot) access and the role of that employee within an organization. 

Approaching this in an ad hoc manner presents a number of problems. First and foremost is inefficiency. It takes time and effort to set up accounts for new hires, especially with the average enterprise using dozens of business systems. This process requires a lot of manual labor, and it’s prone to human error. In a recent customer conversation with a logistics company, I learned that the expected wait time for accounts in AD and a few other downstream business applications to be created, operational, and provided to the new hire was two to three weeks. The client’s assessment pointed to the lack of integration between their ITSM system and the actual provisioning activities. In the background, Excel sheets were shuffled around between the involved parties after tickets had been raised. 

The bigger sets of problems, though, relate to security, compliance, and risk management. Some roles need to be subjected to tighter security controls than others. For executive leadership, the finance team, and others who fit this description, it’s critical to understand not only how they access information but also the status of the various pieces of technology they’re using. Is their laptop up to date on its patches? Are they using a personal smartphone to access enterprise apps? Have they enabled two-factor authentication? How well is their VPN connection performing? 

This multi-layer, across multiple security layer challenge will be the subject of my next post, so stay tuned to learn about what's titled XDR. 

When it’s hard to do things the right way

There’s a key factor that often exacerbates these problems, and it’s one that a single piece of technology or a single policy isn’t going to fix. It’s the absence of a corporate culture focused on security and compliance.

When enterprises haven’t established such a culture, it’s easy – if not expected – for employees to cut corners. That’s because, in so many cases, it’s actually harder for employees to do things the proper way.

Let’s unpack the above examples a bit further. 

• It’s unlikely that the average user maliciously avoids patch updates. But if they aren’t being reminded of the importance of installing patches, or if the install process requires carving a lot of time out of a busy schedule, it probably won’t happen. The same goes for two-factor authentication – if it stands in the way of getting information to key decision-makers when and where they need it, then users will find a way around it.

• Likewise, users don’t turn to apps on their smartphones to intentionally undermine the IT department. They do it because easy-to-use alternatives haven’t been made readily available, or because existing processes favor a more bureaucratic approach. It’s similar to the BYOD phenomenon enterprises had to deal with about a decade ago.

• IT departments can repeat as much as they want the message about why the VPN is critical for remote security. But if logging into the VPN hinders the performance of critical enterprise apps, or if the network crashes at inopportune moments, employees will stop using it in order to remain productive.

The advantages of IGA that’s native to ITSM

These scenarios keep IT professionals up at night. One of the most effective ways to end the nightmare is to embed governance in your ITSM strategy by running IGA native on your ITSM platform. 

For IT staff as well as employees, this brings about a number of advantages, including several listed below. Taken together, these advantages show that an enterprise takes governance and compliance seriously – and also takes steps to meet these needs without getting in the way of end users’ everyday work.

Self-service requests. Applying logic to self-service requests could do things like bulk-assign a user to the right Active Directory groups or to a batch of enterprise applications.

Separation of duties. By matching privileges to the systems a user has access to and the level of security those systems require, you can restrict a user’s access to certain enterprise system based on their role. Further, you could restrict access unless users take specific security steps. 

Incident management. When information on permissions, software versions, and credentials can be pulled from the ITSM system as the Help Desk is responding to an open ticket, incidents can be closed much more quickly.

Incident prioritization. Linking the ticketing system to hardware and software asset inventory enables the incident response system to automatically prioritize a ticket based on a business system’s impact and urgency, and to detect repeated incidents on a single system or in a single location.   

Workflow management. Bringing IGA and ITSM together enables these workflows to converge, which eliminates unnecessary steps. This removal of the traditional IGA silo also brings standardization and transparency to business processes. 

Process automation. One of the main selling points of ITSM platforms is automation, not just for everyday workflows but also for uncommon and time-consuming processes that can be uncovered through the application of predictive intelligence.

Change management. With role and privilege data for all end users available at a glance, you can minimize the disruption of tasks such as software upgrades, hardware updates, or scheduled downtime. 

Mobility and flexibility. ITSM platforms offer SSO and two-factor authentication for multiple mobile solutions. This gives end users the convenience they want and IT teams the security they need, without having to code integrations for individual enterprise apps with an SSO solution. 

Supporting a culture of compliance

Addressing governance can often feel like trying to hit a fast-moving target. Business requirements change frequently. New security risks emerge constantly. Employee roles and privileges evolve. Business systems are added, modified, and sunsetted. Most teams find themselves reacting to things that have already happened, with little or no time for proactive planning.

When IGA runs natively on an ITSM platform, that target slows down and becomes much easier to hit. Teams gain access to insights across the enterprise that directly impact governance but are all too often tucked away in yet another data silo. 

This allows teams to make important decisions quickly and automate straightforward tasks where appropriate, which frees up time and resources to support the ongoing development of a company-wide culture of governance and compliance that reduces risk while improving usability for all end users. When GRC and IGA become seamless processes for end users, and not complex and laborious drains on productivity, the entire enterprise reaps the benefits.

I’m engaging in more and more conversations with our customers, many of whom have deployed ServiceNOW as their ITSM system. These companies want to make the most of their existing ServiceNOW investment; they don’t want to go down the path of yet another iteration of their legacy IDM system. That’s why I bring up products such as Clear Skye, which is IGA running natively on the NOW platform - and that steers the conversation in the right direction. 

 

Getting the Most out of Compliance From Cloud Platforms

In my last post, I talked about a number of the challenges that organizations face as they attempt to improve their IAM, IGA, and GRC strategies. All too often, organizations find that one challenge leads to another, and governance becomes a frustrating chore instead of a strategic imperative or differentiator. 

A lot of this frustration stems from a lack of visibility into business processes. Over time, organizations have implemented a wide range of enterprise systems to meet ever-changing business needs, with little thought about how those apps can – and should – work together. In the interest of convenience and efficiency, IT teams focus on using one-off integrations and workarounds. The need to accommodate remote workers, and external access points with varying degrees of security, has only compounded the problem.

While this is emblematic of larger system management issues, it also has clear implications on governance and compliance efforts. It’s nearly impossible to see at a glance who has access to what, whether those privileges should be revoked, and the extent to which access poses risks both to individual users and to the organization as a whole. Compliance becomes a reactionary process of incident response, not a proactive process of strategy development. 

Remembering my past life, architecting and deploying solutions based upon Waveset Lighthouse and later Sun Identity Manager, an often stumbled upon requirement was to integrate with IT service management systems (ITSM) such as BMC Remedy and its likes; to capture, send and react upon service tickets. An integration that always proved challenging in both technical and process oriented ways. Often due to the fact that the view of processes were layered with obscurity.  

Recently, though, the emergence of cloud-based platforms for ITSM, configuration management, and operations management have opened the door to improved business process visibility. Combine this with business process automation – also a standard offering for these platforms, and the ease to technically integrate with REST-based APIs – and suddenly it’s possible to take a more holistic approach to governance and compliance. 

Here are a few key benefits to bringing compliance and governance on top of a cloud-based ITSM platform.

Seamless application integration. Information is most valuable to enterprise stakeholders when it’s able to flow across applications and roles. This is especially true when platforms are able to integrate legacy ERP or RCM systems in addition to native apps. Business leaders benefit from a single version of the truth that enables data-driven decision-making. Compliance leaders will spend less time gathering data to prepare audits or run incident reports, saving time and reducing complexity.  

Scalability and consistency. Cloud platforms aren’t tied to local, on-premises resources and can be scaled across multiple networks. This allows organizations to overcome one of the biggest obstacles to better GRC: Siloed governance solutions for single sites, or even single servers or applications. Adding a single governance solution across all applications hosted on the same platform creates a consistent experience for end users and can provide the cornerstone for a single governance strategy that applies to HR, finance, operations, security, and service management business lines.

Automation. Built-in notifications, workflows, and approvals bring clear efficiency benefits to the ITSM process. Automation helps compliance efforts as well. Setting clear and repeatable workflows for tasks such as onboarding, deprovisioning, and password management – whether it’s for all employees or on a role-based basis – ensures that these processes meet an organization’s governance and compliance needs every time. Automated incident response also helps organizations stay a step ahead of common threats and enables security teams to devote their valuable time to assessing higher-level risks.

Adaptability. Cloud-based platforms make it easy to plug in those new applications that meet specific business needs. Instead of writing custom integrations, developers can drag and drop the functionality they want. In a traditional environment, this would be a governance nightmare, much like the early days of BYOD and shadow IT. But when IGA and GRC solutions are native to the ITSM platform, the processes in place for current systems will apply to the new applications, allowing an organization’s governance strategy to evolve as new apps come online.

Efficiency and productivity. In traditional environments, GRC is often linked to reduced efficiency, whether it’s auditors poring over spreadsheets of redundant data or end users waiting for a response to a service request. When GRC and ITSM are closely linked, governance can happen behind the scenes, both through process automation and the deployment of repeatable rules and policies. This ensures that governance is far less like to interfere with day-to-day activities across the organization.

The elevation of governance. For many enterprises, compliance is a core discipline on the same level as security, ERP, HR, finance, operations, and so on. On the other hand, governance is often a subset of another discipline such as compliance or security, making it even harder for governance initiatives to receive the attention they deserve. When governance is native to ITSM, and governance strategy is broadly applied across the enterprise, then the importance of governance as a discipline is magnified to end users and executive leaders alike.

Not every organization is ready for IGA or GRC on a cloud-based platform. Transforming traditional and legacy ways to the cloud can be disruptive, especially for organizations that can’t afford downtime or that have higher IT, security, or safety priorities in the wake of various COVID-19 challenges. In these cases, more traditional governance solutions will have to do - and there is an abundance of these type of solutions.

For those who have already made an investment in a more modern ITSM solution, though, it only makes sense to get the most value from the platform as possible. Embedding governance into ITSM provides an opportunity to gain visibility into governance challenges, automate key governance processes, and demonstrate to the entire enterprise that governance is a high priority. 

In my third post in this series, I’ll dive into more details about how to make the marriage between IGA and ITSM a happy and healthy one.

Why So Many Organizations Struggle With Governance

Since I started my career within Digital Identity over 20 years ago, the fields of identity and access management (IAM), identity governance and administration (IGA), and governance, risk, and compliance (GRC) have evolved substantially in recent years. Having worked for several vendors within the space (Sun Microsystems, Oracle, ForgeRock), and now heading up the Cyber Security practice for the Nordics at Capgemini, I have noticed hands on, how many governance solutions and strategies haven’t been able to keep pace with rapid advances in cloud-based business applications that can grant employees access from mobile devices and/or remote locations. This has left governance and compliance teams struggling to catch up – and when they’re armed with inadequate tools it will always be an uphill battle.

I’ve seen organizations face a number of challenges as they have tried to implement or improve IAM, IGA, and GRC. In a lot of cases, there’s a snowball effect. One challenge leads to another, which creates an environment where governance is a nuisance and not a best practice, corners are cut at every turn, and trust is in short supply.

Weak authentication

Passwords and authentication will always rank among the top identity management problems for organizations of all shapes and sizes. What many business leaders don’t realize is that this is also a governance problem.

We all know that end users repeat simple passwords to save time, and frankly - who is not guilty of doing that? Part of this is convenience (or laziness), but it also comes down to having to sign into dozens of applications that aren’t integrated and therefore each need a separate log-in. 

As siloed applications proliferate, governance and security teams struggle to keep up with identity management needs across the enterprise.  Not all assets require the same level of security, and certain end users will require escalated responses. Managing these details in a typical Help Desk environment is nearly impossible when business solutions are disconnected.

Provisioning and de-provisioning

Automation has made the process of provisioning accounts easier over time, but that doesn’t necessarily make it better. The old saying “garbage in, garbage out” applies here. If existing users have too many privileges (which is typically the case, as we’ll discuss later), and if access for new users is based on the access that existing users have, then new users will also have too many privileges. This problem is something that I have witnessed at virtually every single client i have ever been at. 

De-provisioning presents its own set of challenges. Without up-to-date details about an individual account, and amid the possible headache of creating a service incident, it’s easier for administrators to leave accounts active even if an employee has left or a contract with an external consultant has ended.  Not only does this make Active Directory a mess – with more accounts inactive than active, and with groups filled with inactive accounts – it opens the door to fraudulent use of existing accounts with excess privilege.

The existence of silos

Silos make IGA and GRC increasingly difficult in two key ways. The first is the traditional on-premises solution for IGA, which like so many other enterprise systems sits in a silo that isn’t integrated with other business processes. Without access to identity and access data across the organization as a whole – especially as workforces are increasingly remote , which have been the obvious case during the COVID-19 pandemic  – siloed IGA products don’t provide the level of real-time insight that governance teams need to effectively manage identity, certification, and privilege. 

The second issue is the siloed nature of the organizations themselves. It’s not uncommon to see localized control requirements and multiple access request tools across business systems from different vendors that have not yet been integrated. Each system often requires its user administration team, which leads to a duplicative and inefficient provisioning process. 

On top of the technical challenges, different departments or locations within the organization may have varying acceptance levels for risk. This can lead to cumbersome approval processes that add little value but delay work requests – or, on the other hand, approvals that don’t receive the necessary scrutiny.

Too many manual processes

As business systems continue to evolve in both sophistication and specialization, they generate increasingly valuable sets of data that can help make intelligent business decisions or meet compliance reporting mandates. But because systems are rarely integrated, structures aren’t in place for retrieving data and using it effectively.  

This has numerous downstream effects. Many data pulls are done manually; as a result, documentation isn’t centralized, and analysis and reporting not only takes more time than necessary but is prone to human error. In addition, auditing becomes difficult, accountability suffers, and leadership has little insight into who’s managing the governance process. 

Inability to segregate duties

Organizations obviously don’t want the authority to approve invoices and release payment on invoices to rest with the same person. But this can easily happen if organizations lack visibility into how applications are used across business functions.

This problem commonly arises when reviews are done in an ad hoc fashion. It’s a manual process, but the fact that it’s a manual process is the least of the concerns. After many manual data pulls and many reviews, managers simply approve all access rather than submit tickets to remove access, leaving the average user with much more access than they need. This also lends itself to a process where employees continually seek out a “friendly” approver for access requests, rather than going through the proper channels where a request is evaluated based on business needs or security requirements. 

On top of that, as we discussed above, the over-privileged access profiles for existing users are simply mirrored for new users in an effort to make things “easier.” But this has the opposite effect, as it opens more unnecessary security holes.

No culture of compliance

All of these challenges taken together mean that governance and compliance are afterthoughts for far too many organizations. They really need to be embedded into everyday best practices and overall culture, with endorsements from executive leadership down to management and rank-and-file end users. When one department fails to comply, the entire organization suffers. There is no excuse for employees not being up to date on the requirements that impact their work, even as regulations change on a seemingly daily basis. 

A big reason for this disconnect is because organizations treat governance as an IT issue and not a program that applies to everyone. If governance is viewed as a siloed IT solution, then organizations will struggle to measure ROI – as implementing access measures and managing identities brings limited value compared to other IT and business initiatives. This only pushes governance further down the priority list and makes risk mitigation even harder.

As you can see, governance presents today’s organizations with numerous challenges that can easily build on top of each other if they aren’t properly addressed. Fortunately, taking the right steps and implementing the right solutions can help set organizations on the right track. 

In my next post, I’ll talk about the actions that organizations can take.