BigSnarf blog

Infosec FTW

Access control data mining

accessControl

Access Control

We set up a series of authorizations to put people on systems to access data and hopefully, have a series of authorizations and systems in place to remove the person. There are few systems in place to quickly remove people from systems and maybe we audit the systems quarterly by a third party. We choose RBAC systems, encrypt passwords, enforce complicated passwords and expire passwords, all in an attempt to control access to data assets.

Verification a process control to monitor access control

3 types of manual verification can be done.

  • Ask the system custodian to verify access
  • Ask the user to verify access
  • Ask the data custodian to verify access

Screen Shot 2014-02-18 at 2.24.14 PM

Monitoring Access Control and data mining

Monitoring access to data assets remains a difficult task.  You can monitor transactions, monitor a person’s access, look at where they came from etc. Its almost like a feature set for data mining. You can look a volumes, types of transactions, time of day, and access patterns. You can look at granting patterns, removal patterns and group membership patterns. and again you can look at the volumes, types of transactions, time of day and access patterns. You can also look for skyline patterns and changes in the rolling weekly and 30 day statistics. You can even monitor the patterns to the data accessed and again you can look at the volumes, types of transactions, time of day and access patterns. These might be great candidates for graph databases.  These are detective controls.

For example, finding fraud with credit cards we use phone number, email address and an IP address find:

1. How many unique phone numbers, emails and IP addresses are tied to the given credit card.
2. How many unique credit cards, emails, and IP addresses are tied to the given phone number.
3. How many unique credit cards, phone numbers and IP addresses are tied to the given email.
4. How many unique credit cards, phone numbers and emails are tied to the given IP address.

http://maxdemarzi.com/2014/02/12/online-payment-risk-management-with-neo4j/

Monitoring Access Control and Predictive models

I would argue this is the first step to predictive controls. Highlighting patterns of abuse and fraud, by building predictive models for your access controls. Tightening your access controls at this level is sophisticated and there isn’t any commercial tools that I know of that are this sophisticated at predicting volumes, types of transactions, time of day, access patterns, abuse patterns, impersonating patterns and fraud patterns in access control.

acl-all

This all leads to having machines help us to monitor access controls, by building systems to help us direct our efforts to breach investigations and access control violations.

access-palantir

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: