3. Identity Context
Identity
Identity Risk Ranking metrics CASB Provided
Device Signature
Age – First time use for identity?
Known Issues
Current Issues
Browser Signature
Age
Known Issues
Current Issues
Origin IP Risks
Known Blacklisting/Botnets
Unusual for ID
Geo-fencing
Registration/Provisioning Process Strength
Identity Store Trust level
Scale Integration
Owned/Not Owned/Controlled
Maintenance
Attribute set validity
ID Age
ID Usage History
…
In all cases can start as simplified
abstractions (+1/=+.1… per item based on
assumptions and adjusted over time based
on learning and manual adjustment)
or via using valid Bayesian outlier detection
and recursive machine learning to adjust
based on experience – for true machine
learning there MUST be a decision point and
feedback path
example
1 Trusted owned managed device with
recent strong authentication
3 unknown device but recent authentication
5 Blacklisted device
4. Transaction Context
Transaction
Transaction Risk Ranking Metrics
• Transaction Frequency
• Outside 2 standards of deviation
• Transaction Scale
• Outside 2 Standards of deviation
• Transaction to Transaction Context
• Identified Administrative transactions
• Transactions that impact multiple other
transactions
• Authorizations that get passed to many others
• Business Segregation of Duties
• Usually relies on Data Context
Frequency and Scale are most
readably translated to actionable controls
Example
1. Identity, data and transaction frequency and scale are all within normal usage with a large data set to compare with
3. Unusual or new identity or transaction
5. Dramatically abnormal transaction frequency or scale OR
5. Transaction combinations that the business says are significant SOD Issues
5. Data Context
Data
Data Risk Ranking Metrics
Captured at creation or application creation. Based on the
impact of a violation in CIAC
• Confidentiality
• Personal Information
• Secrets (used for other access)
• PI
• …
• Integrity
• Controls other things
• Can be used to steal
• Availability
• Standard Business continuity metrics
• Business Impact
• Time to impact
• Time to first loss
• Ransomware-able
• Compliance/Legal
• Legal Requirement
• Industry Requirement
• Organizational Requirement
Captured at CICD pipeline and application
creation and during the feedback path for
the machine learning portion of the
transaction outlier context
6. 1,5,1 1,5,2 1,5,3 1,5,4 1,5,5
1,4,1 1,4,2 1,4,3 1,4,4 1,4,5
1,3,1 1,3,2 1,3,3 1,3,4 1,3,5
1,2,1 1,2,2 1,2,3 1,2,4 1,2,5
1,1,1 1,1,2 1,1,3 1,1,4 1,1,5
3,5,1 3,5,2 3,5,3 3,5,4 3,5,5
3,4,1 3,4,2 3,4,3 3,4,4 3,4,5
3,3,1 3,3,2 3,3,3 3,3,4 3,3,5
3,2,1 3,2,2 3,2,3 3,2,4 3,2,5
3,1,1 3,1,2 3,1,3 3,1,4 3,1,5
4,5,1 4,5,2 4,5,3 4,5,4 4,5,5
4,4,1 4,4,2 4,4,3 4,4,4 4,4,5
4,3,1 4,3,2 4,3,3 4,3,4 4,3,5
4,2,1 4,2,2 4,2,3 4,2,4 4,2,5
4,1,1 4,1,2 4,1,3 4,1,4 4,1,5
5,5,1 5,5,2 5,5,3 5,5,4 5,5,5
5,4,1 5,4,2 5,4,3 5,4,4 5,4,5
5,3,1 5,3,2 5,3,3 5,3,4 5,3,5
5,2,1 5,2,2 5,2,3 5,2,4 5,2,5
5,1,1 5,1,2 5,1,3 5,1,4 5,1,5
2,5,1 2,5,2 2,5,3 2,5,4 2,5,5
2,4,1 2,4,2 2,4,3 2,4,4 2,4,5
2,3,1 2,3,2 2,3,3 2,3,4 2,3,5
2,2,1 2,2,2 2,2,3 2,2,4 2,2,5
2,1,1 2,1,2 2,1,3 2,1,4 2,1,5
Applied at authentication event or forced on alert event
• All 3 in the low 1’s or 2’s – transparent or no additional
authentication
• Some in the 3’s – additional authentication required
• Some in the 4’s – MFA or Strong Authentication required
• 5’s – block and/or alert for Human action
Very detailed Matrices can be built as needed by the business or risk
Continuous Risk Based Authentication