Making Smarter Access Control Decisions

June 26, 2018

Hey Siri, block that attacker, please


Wouldn’t it be great if Siri, Alexa, or Google Assistant had the intelligence to figure out malicious intent, govern access to our sensitive corporate data, and alert us in real time when something dodgy was going on? Well, they do leverage modern machine learning and AI to make “intelligent” decisions, but they’re clearly not designed for enterprise-grade security.

At Centrify, though, we’re using AI and machine learning concepts to develop Next-Gen Access security to do just that. Only it's not in a soft, cute, platonic solid form factor that sits on your desk….yet.

As part of Centrify's Zero Trust Security Learn & Adapt pillar, Centrify Analytics Services analyze a collection of empirical (historical) and runtime (right now) data to perform pattern prediction (likelihood) that can then be used to help differentiate unauthorized from legitimate access. It hits all the enterprise value props - reducing risk, improving security, reducing costs, meeting compliance and improving productivity and usability for both IT and end users.

Can’t we do that today?

But let’s rewind a bit. What’s broken that requires such a dramatic redress? Today, the majority of traditional access controls are governed by static policies that IT or IT Security has to write. Problem is, it’s hard to predict all possible attack scenarios and convert them into policy-speak. Like anything else that requires upkeep (such as privileged account password rotation), it tends to be neglected. So static policies rarely cover all your bases and they rarely get updated as attack pathologies change.

Net-net - it leaves you exposed.


The machine learning engine in Centrify Analytics Services doesn’t rely on that. Like the aforementioned intelligent assistants, it learns user behavior without being programmed. Over time, it defines “normal” for each user and compares actions against that baseline, creating a risk score for each access request in real-time. Low risk - grant access. High risk - deny access. Medium risk - prompt for additional factors to better assure the user’s identity.

What you gain from this is real-time intelligent access control plus early anomaly detection vs. stumbling upon something fishy weeks or months down the line plus the fun of being negatively portrayed in the tabloids.

Let’s talk through a well-publicized breach scenario and see how Centrify Analytics could have helped prevent it.

Phishing for something juicy…

Back in 2015, a top 4 healthcare issuer was subject to a massive cyber-attack. We know from public disclosures that it was a classic phishing campaign that began when an employee opened a phishing email containing a malware payload, resulting in malicious files being downloaded.

Like many workers, the user had administrative access to their corporate-issued computer. IT was oblivious, however, to exactly who had such access; they didn’t have the tools to track or manage it. Since the employee was logged in with an admin account, the malware ran with admin privileges.

In traditional “kill chain” fashion, it established a command and control channel to the hackers, giving them “hands on the keyboard” access inside the network. They were then able to reconnoiter and move laterally to other servers.

When a tree falls in the forest…


What did they find? Hundreds of privileged accounts across multiple domains were stale - not being used regularly. These were targeted, compromised, and their passwords changed all within two hours.

On the service account front, an Advanced Persistent Threat (APT) in the network was systematically changing passwords but when some attempts failed, it automatically retried often locking out the account. We’re talking thousands of service accounts that were in lock out status. Again, no one had sufficient insights to connect the dots that something was awry. When some were noticed, no one challenged the reasons.

In both scenarios, IT had no insights into the potential risk. It was essentially blind. The company wasn’t using anything to measure normal behavior and raise a red flag when something anomalous occurred. It was business as usual but with an uninvited guest crawling through the infrastructure.

Warning signs

Had behavioral access controls been in place, IT would have been alerted when someone or something masquerading as a legitimate Data Scientist scheduled a job to export millions of user records from the data warehouse and then exfiltrate it to the internet. But without this, three key data points went unnoticed…the Data Scientist:

  1. Was on PTO
  2. Had never done this before
  3. Was exfiltrating data to a destination that was not a trusted partner site

This really happened, by the way.

Do the smart thing


Access controls exist for a reason. However, they can be dumb or smart. They can rely on static rules and policies that need constant care and feeding to react to unremitting advancements in attack pathologies.

In the modern hybrid enterprise where there is no defined perimeter  (your infrastructure can exist on-premises and in the cloud) accessed by internal and outsourced administrators and contractors, you need something much more intelligent and dynamic. It’s absolutely critical to baseline and measure everything that happens with privileged users, roles, data, approvals, and accounts. Then use these dynamic and evolving measures to supplement threat metrics and analytical runtime decision making.

Although I can’t obviously say with absolute certainty, I think it’s clear that:

  • Analytics would definitely have helped raise awareness of anomalous activity
  • Analytics combined with the other aspects of Zero Trust - verify the user, validate the device, and limit access and privilege - could have prevented the breach entirely

To learn more, please check out Centrify Analytics Services on our website and a demo.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.