Description: Besides relying on a valid username/password, authentication should take into consideration additional context about a user to determine that not only is the individual who they say they are, but that they are behaving in accordance with expected behavior. This context into behavior helps identify potential stolen/abused credentials and possible insider threats, and allow admins to deny authentication to protect intellectual property.
Benefit: Secures data and intellectual property by reducing the threat of stolen credentials, malicious insiders, or risky networks.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction
- DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
NIST SP 800-207; Zero Trust Architecture
- 2.1.4: Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- 2.1.4: Behavioral attributes include, but not limited to, automated subject analytics, device analytics, and measured deviations from observed usage patterns.
| Title | User Login Attributes |
| Technology Components | User and Entity Behavior Analytics (UEBA) Security Information and Event Management (SIEM) Access Management (AM) |
| Description | Additional context about the device, network, location, etc can be used as additional risk assessment. Analyzing and comparing these login attributes can help to determine if it deviates from normal activity and apply policy accordingly. |
| Pre-requisites | UEBA and/or SIEM to aggregate login attributes/conditions from various sources (eg. UEM, IAM, applications, network appliances, etc) UEBA and/or SIEM is integrated with IAM to provide risk assessment of user IAM is able to deny access/terminate session |
| Supporting Member Companies | ForgeRock, Okta, Ping Identity, Thales, ThreatMetrix, VMware WorkspaceONE |
| Title | User Behavior Profile |
| Technology Components | User and Entity Behavior Analytics (UEBA) Security Information and Event Management (SIEM) Access Management (AM) |
| Description | User behaviors can often be a signal of malicious behaviour – When is somebody logging into a certain app (3am in the morning); frequency of someone accessing a certain resource (accessing Box once a week vs 15 times within an hour). If there is a deviation from normal behavior and apply the appropriate security policies accordingly. |
| Pre-requisites | UEBA and/or SIEM to aggregate user behavior from various sources (eg. UEM, IAM, applications, network appliances, etc) UEBA and/or SIEM is integrated with IAM to provide risk assessment of user IAM is able to deny access/terminate session |
| Supporting Member Companies | ForgeRock, Okta, Ping Identity, Thales, ThreatMetrix, VMware WorkspaceONE |
