Today's security begins with identity and ends with data.

Security strategies implement numerous technologies and frameworks to keep your data safe, notably Identity Access Management (IAM) and Privileges Access Management (PAM), part of the broader Zero Trust Architecture. IAM PAM: two essential tools to keep your company safe in this environment.

As the enterprise's perimeter is changing, access control needs to change. The enterprise is becoming distributed across multiple locations as remote work and cloud hosting are the norm. Thus, the former environment and its established controls are gone. Controls must be implemented directly at your endpoints, at the identity level. Should incidents arise, you have to answer near real-time to avoid intrusion. Automation becomes critical to allow you to implement such processes.

However, as good as these solutions are, implementing them across the whole company and leveraging their maximum potential has proven challenging.

Below, we're going to look at how you can solve these issues with the help of a SOAR.

• How does IAM work with SOAR

• How can you leverage the SOAR with PAM

• IAM, PAM, and SOAR for automated and real-time access controls

How does IAM work with SOAR

For most companies today, data is one of their most valuable assets, if not the most. The modern organization's capital relies on immaterial assets, such as R&D processes, that help differentiate the company from its competitors. If initial access is granted to the wrong person, it could lead to the theft or exploitation of these precious data, ultimately leading to a dramatic loss of future revenues.

Thus, safeguarding these data is critical. In response, information technology (IT) and security teams started adopting frameworks to manage and control employees' access to the existing information system.

To that end, we could describe the objectives of IAM like so:

• identification and authentication of individuals

• the roles in your information system and their assignation to each of the individuals

• adding, removing, and updating individuals and their roles

In summary, IAM is about validating your identity before you're authorized to enter a system. It differs from PAM, which is about resource access validation and relies on attributes. PAM and IAM are intrinsically tightened together, and often, solutions that provide IAM provide PAM.

However, they answer two different stages of attacks: initial access and privileges escalation. We need to adopt two different response plans for these two different threats. That's why we're choosing to analyze IAM and PAM first.

Back at IAM. To fulfill the objectives listed above, IAM gathers numerous technologies, such as single-on systems, two-factor authentication, and multifactor authentication, and the ability to store all the data these technologies use securely.

However, as the attack surface grows due to the number of users needing access to the information systems and varies according to employees' whereabouts, there's a need to close the gaps as fast as possible in an increasingly hostile environment. Manual IAM, relying on human inputs, must evolve towards automated processes to achieve real-time protection and reduce the risks induced by variations in the attack surface.

On top of that, tasks such as creating, suspending, or revoking employee access are grunt work that takes time and is prone to errors and omissions. When it comes to repetitive tasks, the main challenge is consistency. Take the classic example of an employee leaving the company. Depending on the employee, their access must be entirely revoked in hours or minutes. The challenge isn't about revoking all the access but ensuring that there isn't any omission. Here, companies have put a control framework in place to ensure that the human assigned to this mission. Still, automation is a way to conduct the task first and then allow complete auditability of tasks undertaken in minutes.

What's more, implementing MFA everywhere isn't sufficient per se. If you implement MFA everywhere, you must implement real-time and automated controls; otherwise, end-users could ignore the notif or accept them to eliminate the disturbance. But real-time controls should not come as a burden to end-users or else. Acceptance on their behalf would be reduced... It has to be user-friendly. Talking about resolving to square the circle!

From a SOC perspective, when an incident arises, you have to be able to react fast to acknowledge the legitimacy of the action and act accordingly. Here, we're talking about incident response capabilities, which rely on the ability to rapidly leverage your other tools to gather information about the incident: the MFA in place, the user, the scope, and the devices affected. Collaboration between tools is crucial.

The SOAR shows its unique ability to be your SOC backbone when discussing collaboration and incident response. Integrating your technologies enables real-time collaboration between them. This way, it can gather information across your environment (your SIEM and EDR, or even your Cloud management techs) and beyond (further enriching your alerts with Threat Intelligence) and process it in pre-built playbooks, where each response determines further actions taken.

This way, alerts received from IAM trigger playbooks that first enrich them to determine whether the alert should be deemed malicious and automatically take action.

As a result, the protection on behalf of the end-user accounts is increased, and your IAM processes are backed by automated incident response plans that secure your attack surface in real-time, proactively, and reactively.

How can you leverage the SOAR with your PAM solution

Attack reports show an increasing reliance on credentials to access your information system. The recurring stages of these attacks can be described as Steal, escalate, and abuse. We've already covered Steal above by talking about IAM and what the SOAR can bring to it.

Here, we'll focus on escalation and abuse, which would resort to PAM, even though, in practice, IAM and PAM are often intertwined, as we said at the beginning of our demonstration.

In practice, PAM needs the integration of diverse technologies, often provided by various solutions. Let's take a look at a PAM lifecycle representation. We see that, among other things, PAM relies on techs such as 2FA or SSO, ticketing systems, reporting, log monitoring solutions, and AD/LDAP, to be effective.

These various techs represent different layers of security that your SecOps teams need to articulate together to make PAM genuinely effective. Most of the time, SecOps are doing this manually, navigating from alerts received via their Threat Intelligence feeds or highlighted by their custom queries on their SIEM to pinpoint remediation solutions. As a result, processes take time and leave holes in the security perimeter.

Of course, PAM solutions provide sets of out-of-the-box automation use cases. However, one-size-doesn't-fits-all. Customers often need manual work to make their PAM efficient in their environment. Resorting to in-house automation is time-consuming and takes a lot of resources and skilled programmers for tasks that could be easily automated due to their repetitiveness.

Finally, even though some PAM solutions provide integrations to top-of-the-art pinpoint techs like SIEMs or others, the automation of in and outflows between the two solutions.

Privilege access request workflows

About the highest risk server or application and the means to secure them. Even if I have legitimate permission and want to access these servers, request control is critical whether it's necessary to do the activity on the server at that time.

With PAM, the processes were dramatically shortened. Login and notification are all via an electronic procedure. But it's hard to implement and time-consuming. You need to wait for a manager to request approval. Thus, customers avoid it or use another means of communication with the IT teams, which may be less secure.

With a SOAR, you can build an automatic workflow in which a user submits a request before a Chatbot approves the access request on a designed communication system, with the help of an authentication system requiring OTP.

Monitor privileged accounts and threat detection

A Backdoor account is created on the Active Directory. With most modern PAM, you can regularly detect these newly created accounts by scanning to auto-provision and reset credentials. However, you would prefer a trigger-based workflow that automatically reacts at the moment of account creation.

The event of creating the backdoor account will be detected by the PAM tool, but what about other tools? SIEM ingests all the raw data. What do you do with these? Is there collaboration with other solutions?

With the SOAR, you will take advantage of your other solutions, such as the SIEM, which ingests all the logs, and, most likely, Syslog, attesting to creating a new user on your Active Directory.

The command executing this creation can be highlighted as the trigger of your workflow, triggering remediation actions with the help of other tools, such as blocking the Source IP address, resetting associated credentials, and notifying the analyst in charge.

IAM PAM and SOAR: Collaboration across all security layers

Across all these use cases, we've seen that the value-added brought by SOAR is about enabling automated and real-time controls between your security solutions. The SOAR harnesses its ability to integrate your environment and orchestrate the flows between them. This enables you to ingest alerts and automatically apply your incident response workflows.