Why you're probably doing endpoint security all wrong

The traditional combination of username and password to secure company devices and systems is outdated and could be putting your business at risk. Employing an AI based continuous identity management system could eliminate nearly all identity theft attacks as well as aid in security operations analysis of potential threats.

green army soldier on a laptop keyboard

Most organizations still do endpoint security the old-fashioned way – having users of PCs, smartphones, tablets and Chromebooks logging in with a username and password. Many companies even go so far as making users change their passwords every 3-6 months to theoretically keep them safe from identity theft. But despite this effort, which often annoys the end user and creates a lot of help desk calls for forgotten passwords, it is costly for the organization and is not that much of an improvement. Our research shows that the cost of continual password changes over a three year period is between $1011 and $1272 per user per app access ("Your PC has an Identity Crisis", J.Gold Associates, LLC., Copyright 2016). Given that most organizations have hundreds or thousands of apps and many users for each, the costs associated with this is staggering.

Besides the high cost of constant password changes, login credentials do little to help secure the organization. Identity theft is the number one way that hackers attack and penetrate "secure" corporate systems. And data breaches are expensive. According to the IBM/Ponemon Cost of a Data Breach Report 2020, the average worldwide cost of a data breach was $3.86M, while the US had the highest cost at $8.64M.

Some organizations have moved to a biometric approach to user identity management, assuming things like fingerprint scanners or camera-based facial recognition represent a step up in protection. But often, this technology is no better, given the unreliable results for the user when interacting with the biometric device, and/or the potential of hacking the central data store of biometric signatures necessary to make biometrics work. Further, most biometric systems are device specific, so users with multiple devices have an increased level of exposure. Finally, some policies and biometric products that organizations have deployed are so annoying to users that they bypass it all together, essentially making themselves an even bigger target, and exposing the organization to increased risk of breach.

What's needed is an entirely new way of securing access to devices and corporate systems that eliminates the need for username and password or biometric identification so as to greatly reduce the possibility of identity theft and unauthorized connection to systems. And we need a system that doesn't require a centralized store of confidential user identity information that can be hacked or otherwise compromised. While nothing is perfect, there are significantly better ways to do identity management, enabled by advances in Artificial Intelligence and Machine Learning techniques that learn enough about the user to identify real from fake access regardless of log in identity. And it can also be useful in maintaining compliance by enforcing policies for file access, network connectivity, app availability, etc. An AI driven continuous identity management system will likely be a part of most organization's processes in the next 2-3 years.

What is AI driven continuous identity management (CIM)?

A CIM uses machine learning to understand the specific behaviors of each user, by monitoring that user's interactions with the system. Characteristics like typing preferences, app interactions, device specific characteristics, logon times, geolocation, IP addresses, and similar behaviors are used to train the system to recognize each user. Once trained, the CIM can continuously monitor every login to determine the true identity of the user, even if being logged in with accepted credentials. A "score" that is output by the CIM can be used by the corporate systems to weigh the probability of this being a real user or imposter and can be used to set security levels on access, apps, data files, etc., in real time. Further, it can be used to trigger an alarm for additional analysis for suspicious activity by security operations personnel if warranted. This can greatly reduce the time to discovery of data breaches, which often can be 3-6 months or longer in duration.

What can it prevent?

While targeted specifically at continuous identification of users, the system can have a major positive impact on detecting and eliminating:

  • Insider Malicious Activity – Being able to detect and shut down internal suspicious behavior can eliminate insider attacks that are currently hard to prevent. CIM can offer a major step forward in securing against such attacks
  • Physical Device Compromise – many attacks are undertaken through compromised devices that are hacked and performing malicious operations in the background. CIM can detect such anomalous behavior and shut off this attack surface
  • Stolen Credentials and Compromised Login Systems – while stolen credentials are common, less common but also a rising attack vector is the ability to hack into and modify existing credential data stores. CIM and its behavioral analysis capability can eliminate this attack vector by certifying the user through behavioral analysis rather that stored credentials.

Not an Instant Solution

There is a down side; such a system cannot be implemented straight out of the box, or instantly with new users. There is a time delay in being able to utilize this capability as each CIM has to be trained for each user, and further for each device utilized by that user. Such training can take 1-2 weeks or more depending on the amount of interaction. Further, any user obtaining a new or upgraded device requires retraining of the system. Still, once trained, such a system is highly effective at preventing "bad actors" with stolen credentials from accessing systems they shouldn't. It can even be used to limit exposure by internal employees to systems and interactions that they shouldn't be allowed to do and thus prevent insider malicious behaviors that are otherwise very hard to detect and prevent. Nevertheless, in most organizations, especially with a high turnover of employees, a backup identity management system relying on older technology like user name and password will still be required. Indeed, having this in place as a backup, second level of protection, is a good practice even with a CIM deployment.

One such AI-based continuous authorization product is BlackBerry Persona. Persona is currently available for mobile devices for BlackBerry UEM customers, while Persona for desktops doesn't require the use of BlackBerry UEM. But we expect many other entrants into this space in the coming 1-2 years, including many cloud-based solutions from major security and infrastructure companies like Cisco, Okta, Microsoft, Google, AWS, etc. Further, we expect that new AI-based solutions will become available from smaller targeted players that will concentrate on specific high-value niches, like financial services, healthcare, utilities, etc.

Bottom Line:

Organizations must move away from the standard login credentials of username and password and embrace a more resilient and secure approach by implementing an AI based continuous identity management system. Such a system, if properly implemented, could eliminate nearly all identity theft attacks as well as aid in security operations analysis of potential threats. While still early in the cycle for such systems, companies should be exploring this option now with their current vendors, and if those vendors do not offer such capability, or have it on their near term roadmap, should be looking at vendors who do. Failure to do so exposes organizations to needless risk that could be mitigated by deploying CIM.