A bigData platform for analytics on access control policies and logs

Abstract

Relying on an access control security policy alone to protect valuable resources is a dangerous practice. Prudent security must engage in other risk management and mitigation techniques to rapidly detect and recover from breaches. In reality, many security policies are either wrong, containing errors, or are misused and abused by malicious employees or compromised accounts; not all granted access is desirable. A popular approach to mitigate against these and other residual threats is to monitor applications to detect misuse and abuse of credentials in near real-time. We will show a platform for monitoring applications and the use of analytic models on diverse datasets for detecting suspicious user activity. Our platform combines traditional data management systems with BigData platforms to efficiently apply analytics across security relevant data (policies, logs, metadata) and provide administrators a dashboard of the current security status of the organization, and the ability to investigate prioritized alerts. One key analytic in the demo is a novel generalization of the role mining problem as applied to access logs and modeling user behavior for anomalies. Other analytics include conventional statistical measures, Gaussian mixture models and clustering, Markov models, and entropic analysis of requests. This demonstration will walk through a prototype system and describe the analytics and underlying architecture.