User Activity Manager
Integrates identity with reports and alerts generated by leading security incident and event management (SIEM) solutions and log file monitoring. Adding identity profile data to user activity information enables business managers to identify users who may be engaged in inappropriate behavior that represents increased risk to the security of the organization.
The combination of User Activity and IAM:
- Improves security – by highlighting instances where people may be abusing access rights and engaging in risky behavior.
- Reduces risk – by enabling organizations to quickly chose the most appropriate remediation.
- Streamlines business – by allowing managers to evaluate user activity, knowing who the user is, and respond quickly and efficiently.
- Improves productivity – by improving the ability of managers to quickly and easily filter, identify and monitor activities that represent the highest level of risk to the organization.
As companies grow increasingly complex, so does the complexity of protecting the enterprise from inappropriate user activity which can create risk. As a result, organizations are concerned with what employees are doing, whether or not they are abusing their access to corporate assets and data, and how they can reduce the risk of organizational security being compromised.
Security incident and event management (SIEM) technology is used for broad-based monitoring and analysis of events. This can be particularly useful for compliance reporting, breach detection and uncovering potential incidents of fraud or inappropriate access.
When a SIEM scan uncovers patterns of inappropriate user activity, it can be difficult for the data owner or security manager to know who the individual user is, what role they play in the organization, and what impact the pattern of activity may have on the risk to the organization.
IAM, on the other hand, contains information about who the user is, what other systems the user has access to, and who authorized those access rights.
IAM and SIEM Synergy
Until recently, SIEM and IAM solutions worked separately, and IT and security managers were unable to leverage their complementary capabilities in a unified solution. Also, SIEM solutions tend to provide information formatted for use by IT and network administrators, that that was not well-suited for business users to consume.
Now you can address this problem with Courion's User Activity Manager, a solution that integrates ComplianceCourier™ – Courion’s access certification and compliance management solution – with leading SIEM vendors, such as Symantec, RSA, and others. Courion’s SIEM integration architecture is vendor-neutral and designed to combine data from any SIEM vendor or log file with user profile data contained in the Courion system.
User Activity Manager combines data from SIEM with identity in the context of ComplianceCourier to enable your organization to answer the questions:
- Who is engaging in risky or unauthorized behavior?
- What are they doing that violates security policy or industry regulations?
- When did they do this?
- How should I reduce these risks?
Courion User Activity Manager provides managers with detailed identity-based context for the SIEM event, such as: name, role, title, department, manager, location, entitlement, group memberships, etc. This additional context enables the manager to evaluate the level of risk associated with this access and then make an informed decision on how to mitigate the risk appropriately.
Integrated Remediation Strategy
User Activity Manager’s integration with ComplianceCourier enables managers to chose the most appropriate remediation strategy, based who the user is and what activity he or she has been engaged in. These steps may include:
- Approving the user access rights and documenting the reasons why
- Modifying the SIEM alert level
- Creating an email message or help desk trouble ticket
- Modifying user access rights
- Blocking or removing access for individual users or specific groups of users.
If access rights to enterprise resources need to be changed, ComplianceCourier can automatically take the appropriate actions to initiate corrections, using a variety of remediation options. An audit trail tracks all review and remediation transactions undertaken by authorized managers.
Routine Access Certification Review
ComplianceCourier automatically manages the access compliance and certification process by notifying authorized managers when it is time to review employee access rights and activities, and enabling them to confirm that the employee’s access complies with corporate policy or relevant industry/government regulations (SOX, PCI DSS, HIPAA, GLBA, etc.). Integration with SIEM technology enables Courion customers to ensure not only that end user access rights are consistent with policy, but that their activity is as well.
How Does It Work?
User Activity Manager (UAM) implements a vendor-neutral approach to the integration of SIEM data and alerts with Courion’s Access Assurance Suite.
Courion extracts data from the SIEM system, normalizes it into a consistent format and loads it into a Courion database. Courion combines this data with user profile data and other identity data stored in Courion’s IdentityMap user repository to build a comprehensive picture of who the individual user is (role, dept., manager, location, etc.), along with other user IDs and systems the user has access to. Business users can then access this combined data through the ComplianceCourier worksheets, enabling them to review the user activity and determine the appropriate response.
The data is also available to Courion’s advanced analytics framework, where it can be used in a security and compliance dashboard for ongoing monitoring and review.
Features of the combined User Activity Manager and ComplianceCourier solution include:
| Compliance and attestation | Effectively respond to auditor and regulator requirements for ongoing compliance monitoring and management to ensure compliance with corporate policies or key industry and government regulations. |
| Review suspicious or unusual events | Enable business managers to receive a SIEM alert and review and verify user activity. |
| Designed for Business Users | Provide security and business managers with a business-friendly view of activities and user entitlements to confirm or remediate improper access rights. |
| Comprehensive Data Integration | Identify users engaged in potentially risky behavior, based on data from industry-leading SIEM systems, enterprise directories, and Courion’s IdentityMap. Identify other user IDs that the individual is associated with to identify other systems they have access to. |
| Integrated remediation | Enable business users to automatically initiate corrective actions, without the need to install a provisioning solution. |
| Audit Tracking | Capture decisions in a transaction database for ongoing analysis, audit tracking or forensics analysis. |
