Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016


A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"


You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.


The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.


Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.


All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?


With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.


For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 


Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?


It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.


Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.


Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

The Hacker Who Stole Christmas

Posted by Joaquin Ruiz on Thu, Dec 17, 2015


Tags: IAM, Courion, cyber security, IAG, identity and access governance, identity and access management, Identity & access management, retail cyber security, IIAM

Better Together: Courion and Core Security

Posted by Chris Sullivan - GM, Intelligence/Analytics on Wed, Dec 16, 2015

Courion + Core Security FAQ
By Ray Suarez, Core Security and Chris "Sully" Sullivan, Courion

A lot of folks have been asking why we made this acquisition. The reality is, this is a merger of two market leaders expanding their products to offer something never before seen in the cyber-security space. So to build on and explain this thought, we wanted to do a little Q&A to answer some of your questions.

Ray:  Sully, why do organizations do Identity, Governance and Administration (IGA)?  Better_together_1.jpg
Sully:  To manage access to information and processes.

You can buzz it up by talking about threat surface and risk but you are simply protecting card data, IP (your crown jewels) or the ability to prevent unintended transfer of large sums.

Sully:  Why do organizations do Vulnerability Management (VM)?
Ray: To manage access to information and processes.

So let’s see, they are both solving the same problem. VM protects you up to the identity, and IGA from the identity to the process or information. Each area has tools, control processes and teams to do the work.

But our adversaries don’t partition their work this way. Consider the Target breach attack path. It was HVAC vendor account (IGA) -VPN (VM) - BMC_user1 account (IGA) - C&C server (VM), - payment systems network firewall (VM) – dev, sw distribution, exfil servers (VM). Our adversaries move quickly between the VM and IGA world and hide in the cracks between them.

Now Courion has long been an IGA market leader and is specifically recognized for customer sat and delivering on the promise of intelligence. We use a property graph (I know too techie but it’s necessary to solve the scale problems) to give you a comprehensive view of your logical access. That’s person, to accounts, to permissions and sub-permissions and roles and sub-roles and sub-sub-sub.. In a mid-sized company, that’s billions of changing security permutations – even the best security experts can’t visualize that complexity. Our analytics let you really understand what’s important so you know what you are requesting, reviewing, approving instead of just pretending that you do.

better_together_2.pngAnd Core Security has long been the VM market leader and is specifically recognized for unraveling the complex permutations of vulnerabilities that could lead to a breach of critical assets by an attacker. Courion also uses a property graph to give you a comprehensive view of the layered infrastructure and understand what’s important. That’s network, client, web, wireless and mobile.

Now imagine what would happen if you connected those two worlds with all that domain expertise and IP.  For example a blind person will perfect their listening skills to compensate for their disability and a hearing impaired person will perfect visual observation. If we could combine each of these improved senses, it would provide clarity that us normal folk might not even think possible.

Don’t believe us? Hear what some of the industry experts have to say here

2 more questions…

1. Why does InfoSec exist? To manage access to information and processes.

   2. Why Courion + Core Security? Because it was the only sensible thing to do.

Welcome to Courion + Core Security, the only security company that can continuously and comprehensively mange access to your information and processes.

Did we miss anything? We are building a new world so if you have any questions or just want to discuss things, please let us know in the comments. 


Tags: IAM, Courion, cyber security, intelligent IAM, IAG, identity and access governance, core security, vulnerability management, VRM, vulnerability risk management

Picking the Right Leader for You

Posted by Doug Mow - CMO on Tue, Jan 07, 2014

Doug Mow - CMO

Today we announced that Courion is in the Leaders Quadrant in Gartner’s Magic Quadrant report for Identity Governance and Administration (IGA). We are honored that Courion was one of four companies thus recognized and was evaluated by Gartner on its ability to execute and the completeness of its vision.

We believe this is further affirmation of Courion’s commitment to Identity and Access Management over the last 16 years. Since 2007, Courion has been positioned in the Leaders Quadrant in Gartner Magic Quadrants nine times, even as the category has evolved from ‘user administration and provisioning’ and ‘identity and access governance’ to the merged ‘identity governance and administration’.

In 2013, Courion was also lauded by several other analyst firms and publishers, such as KuppingerCole, DataWEEK, Network Products Guide and Info Security Products Guide.

The Gartner report guides readers to, “use this Magic Quadrant as a reference for evaluations, but explore further to qualify the capacity of each vendor to address your unique business problems and technical concerns."

Let’s say you take that advice to heart. Just how would you evaluate the four leaders, or other vendors, given your specific needs?Leader and fish followers

You might consider whether the solution will be easy for your security team and other departmental managers to use. You could ask whether the company offers connectors for the data and applications that are in common use in your company and industry. You could investigate the company’s ability to help their customers implement the solution. You might even consider what the next stage of IAM will bring, and whether a particular vendor can help you clear the next hurdle, one that you might not even see yet.

If those criteria are important to you, take a closer look at Courion. Courion’s Access Assurance Suite offers an intuitive user interface that business executives, not just IT professionals can use for performing routine tasks such as access requests, approvals and certifications. Would that help your IT staff be more productive, more quickly?

Courion’s separately packaged connectors are tailored to help customers in vertical markets such as financial services, healthcare, manufacturing and retail get up and running quickly. Does your company fall into one of those categories? In addition, Courion’s well-established implementation methodology, honed through its experience serving more than 600 customers, may well reduce your installation time and costs.

You might also want to consider what is next on the horizon for IAM, or IGA. Industry pundits increasingly agree that the next generation of IAM products will leverage the big data in your identity and access system to inform, improve and optimize your ability to automate common IAM tasks, maintain continuous compliance and recognize and reduce risk through the use of analytics, or Identity and Access Intelligence (IAI). If that is indeed where the market is going, then you really only have one choice, Courion, the company that offers robust identity analytics and intelligence capabilities.

Click this link to download the complete Gartner Magic Quadrant report on Identity Governance and Administration (IGA).

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

Tags: Gartner, Doug, Mow, IGA, IAM, Courion, identity and access governance, identity and access management, Magic Quadrant, Leader, Leaders, Identity Governance and Administration, user access and provisioning

Routine Maintenance Recommended

Posted by Doug Mow on Mon, Aug 12, 2013

Doug Mow, CMOThe United States Attorney for the District of New Jersey recently announced indictments against five men who executed a carefully calculated hacking scheme that saw more than 160 million U.S. and foreign credit card numbers stolen. The data breach was the largest known to date in the United States. Thank goodness we caught the bad guys, right? Sure, but how could we have caught this before the damage was done?

According to this article, the perpetrators used several ways to avoid detection, including using a web-hosting service that did not track (their) user identities or report (their) user activity to law enforcement officials. And as is the case in many breaches today, the perpetrators changed settings on the target networks so they could disable security mechanisms and used malware to get around the security software in place.

Could a more intelligent IAM solution, which could proactively check users’ identities and their access rights to resources, and which can monitor the activities of users with an eye toward abnormal behavior, have detected these digital henchmen earlier, mitigating the full deleterious effect of this breach?

Like many habits in life, like regularly changing your oil, the payoff is down the road in the end result of a car with 100,000 miles. Similarly, the work of onChecking Under the Hoodgoing preventative maintenance on your enterprise infrastructure may not be convenient, but is probably worth it, unless you want to avoid the corporate equivalent of engine malfunction and expensive repairs – a massive data breach.

Access Insight helps you maintain compliance not just once a year, but everyday. And just like the routine preventative maintenance recommended for your car, you might find that good habits all year long result in reducing the risks that lead to breaches, and offer the added benefit of streamlined certifications.

Does your company need to meet PCI compliance regulations? Consider whether Courion Access Risk Management Suite can help can help you avoid the IT equivalent of engine failure.

Tags: access rights, access risk management suite, identity management, access risk, data breach, hacker, identity and access governance

The CISO . . . an Accountant or a Chief Financial Officer?

Posted by Chris Zannetos - CEO on Thu, Jun 06, 2013

Chris Zannetos

As part of CONVERGE, Courion’s 11th annual customer conference held last month in Atlanta, we convened an Executive Forum of 20 CIOs, CTOs, and CISOs along with leading consultants and Courion executives to discuss key strategic issues. In addition to the requisite discussion of the impact of the Cloud and the Consumerization of IT, we discussed the evolving role of the senior IT security executive.

We have held this Executive Forum for several years now. Looking back now, I wish we’d had the foresight to capture these proceedings on video over the years to observe our evolution, much like the famous documentary, Seven Up! which chronicles the lives of fourteen British children in installments every seven years as they age and their world views evolve. If we had, not only would we have seen my hair fade to gray, we would also have seen a significant evolution in the perspective of what it takes for an information security executive to be truly successful.

As the discussion at CONVERGE progressed, I was reminded that the role of CISO is still in its adolescence, much like those British schoolchildren in the early documentaries. There are other organizational roles that have been around a bit longer that perhaps we in the information security world can learn from – like that of the Chief Financial Officer.

My CFO likes to tell the story of a meeting he had with financial auditors to discuss an accounting treatment for a particular transaction. After the review, a young audit associate stated, “Well, that is sort of in the gray area.”  My CFO’s response?  “My entire job is in the gray area!”

As you advance up the chain of command in a financial organization, you are called upon to adopt the more holistic view of a business executive. No longer can you optimize on just one variable  – you must understand the breadth of impact a decision may have on the business as a whole, not only today, but also in the future. Those who do not have the interest or the capacity to do so remain accountants, where the landscape is black and white. It’s a debit or a credit. Accounting rules and guidance dictate what you can and cannot do, and if an action is not addressed by the rules . . . you cannot do it.  While regulations may provide for it, there is no room for interpretation. To do so would disturb the balance of the universe.

In contrast, the CFO needs to focus on the business as an ongoing entity beyond the numbers. His job is to understand, communicate and help manage the financial health of the business.  And the numbers don’t always tell the story – in fact, they sometimes obscure it.

This is the same evolutionary leap that the information security executive must take. In the security world, many act and talk as if the world is black and white. Something is either secure, or it isn’t.

If there is a lesson we should learn from the last few years, it is that compliance does not equal security, and nothing can be 100% secure. A focus only on security obscures visibility of the vitally important issues – and is destined to fail. In Finance, it is the numbers versus the business health. In IT, it is “security” versus “the business risk.”

An IT Security “Accountant” believes he is responsible for ensuring that all is secure and that the business never suffers loss related to the company’s technology infrastructure. An IT Security “CFO” believes he is responsible for ensuring that the business understands the risks it is taking, aligning IT and security spending according to that risk appetite, and delivering the capability to quickly understand and respond when risk changes or an adverse event is realized.

Doing so elevates the Information Security Executive to a role where he is included in, and integral to, business discussions with C level executives. And judging by the conversation during our most recent Executive Forum, leading IT Security Executives are making this intellectual, and in some cases operational, leap. As a result, they are called more frequently into Board Meetings, their companies’ Audit Committees now include members with significant IT experience, and they integrate their work with Enterprise Risk Management efforts.

The opportunity is here today for you to elevate the work of the CISO. Move into the gray area and widen the lens from security to business risk management. Perhaps this is more of an imperative than an opportunity, because if, as a CISO, you do not follow the example of the CFO to become a business force, you may be relegated to the backroom and pulled out only at time of audit – just as an accountant is.

Tags: risk management, IAM, Courion, CZ, identity and access governance, security, Chris Zannetos, CONVERGE, CISO

KuppingerCole Names Courion a Leader in Access Governance

Posted by Courion Corporation on Tue, Mar 19, 2013

kuppingercole logoLeading global analyst firm, KuppingerCole, recently named Courion a leader in product, innovation and overall strength in the KuppingerCole Leadership Compass for access governance. The report, authored by Martin Kuppinger, founder and principal analyst at KuppingerCole, evaluated 18 products in the access governance space.

"Courion definitely is amongst the vendors that should be taken into account when looking for an Access Governance solution. They show innovativeness and provide a feature-rich, established and well-integrated platform" says Kuppinger.

Access governance has become critical as chief information security officers (CISOs) increasingly focus their attention on reducing risk through proactive verification of business users’ access rights. Its importance is growing along with the rising frequency of data breaches around the world. For CISOs researching access governance solutions, the survey recognizes providers that merit consideration.

KuppingerCole notes that access governance is the fastest-growing segment in the IAM market. Access governance is gaining traction because of the need for organizations to ensure that the right people have the right access to the right resources and to demonstrate they are doing the right things with this access.

To access your free copy of the complete report, visit the Courion Resource Center.

Tags: IAM, Courion, identity management, access governance, IAG, information security, identity and access governance

Reducing Data Breaches, Addressing the Gap and the Right IAM Solution

Posted by Courion Corporation on Tue, Feb 26, 2013

ISPG headerIn a recent interview with Info Security Products Guide, Courion President and CEO, Chris Zannetos, spoke with Rake Narang about the identity and access management challenges facing most organizations today.

“Most organizations today have a highly complex infrastructure made up of many applications, systems and networks, all with the potential to expose the company to information security risks if user access is not properly managed. Add in growing trends, like cloud computing and BYOD, which create open environments and leave an organization more vulnerable to breaches as users access information from outside their walls.”

Highlights of the article include:

  • What is causing data breaches to rise -- and what companies can do about it
  • Why are organizations failing to recognize the IAM gap -- and what they should be doing to address it
  • What is the next radical change in Identity Management and Access Governance solutions?
  • What should CSOs look for when selecting an identity and access management solution?

Want to learn more? Click here to read the full interview.

Tags: IAM, Courion, CZ, IAG, identity and access governance, identity and access management, Access Risk Management, Zannetos

The Next Radical Change is Now

Posted by Chris Sullivan - VP Product Planning on Thu, Sep 13, 2012

Chris Sullivan

What’s the next radical change in Identity Management and Access Governance solutions? Here’s my response to a recent LinkedIn post.

Here are 4 unbiased facts about our current predicament:
1. Infosec budgets are rising year over year and yet…
2. Breaches are increasing exponentially year over year. This is because volume and sophistication of threats are both escalating rapidly. Did you know you can get botnets as a service? Is the correct term for that BaaS? BaaS is still a cottage industry but it’s growing nicely and there are even entrepreneurial types out there who are giving it away in the hopes of making money later (Zuckerberg did okay with this approach).
3. Most companies only find out that they were breached when someone else tells them, but the evidence was right there almost all the time.
4. Most organizations are trying to protect themselves by doing access certification on as bi-annual or annual basis, but there’s clear evidence this isn’t helping (contact me and I’ll show you the data).

The solution here is not to keep piling on more controls -- that’s what we have been doing and it has failed. The solution is to be more efficient and intelligent about the ways we apply the controls we have.

We need to identify, understand, manage and settle access risks in real time. This requires us to flip the current workflow-centric approach and use a data-centric approach to continuously discover unauthorized changes, policy violations and suspicious behavior, and then fire actions to settle these risks immediately.

Think about what data-driven analytics did to MLB (Moneyball).

This isn’t the “next” radical change, it's the current one. 

Come by and see us at a variety of industry events to learn more.


Tags: IAM, access risk, data breach, identity and access governance, access intelligence, identity and access management, Sully, real time analytics

A Call to Arms - The Future of IAM

Posted by Chris Sullivan - VP Product Planning on Mon, Aug 13, 2012

describe the imageTen years ago, CISOs saw a need to improve information security but couldn’t get it funded. They figured out they could automate access administration and make the organization more efficient all around. This was “provisioning.” We’ll call it IAM 1.0. It isn’t perfect but it works. The cost/benefits don’t scale down to the SMB market, but Software as a Service (SaaS) as a service delivery mechanism is starting to solve that.

Five years ago, under a crushing surge of regulatory requirements to review access (and, oh, by the way, the desire to have some idea of what you were actually reviewing), Identity and Access Governance (IAG) expanded to include roles, (if you hadn't already implemented roles to streamline provisioning) and re-certification/attestation. At the time (and not surprisingly) the IAG-only vendors were dissing provisioning as a waste of time. Oddly, they’re all selling provisioning solutions now. Truth is, provisioning was necessary, though not sufficient, to address organizations’ emerging regulatory requirements., So the IAM market changed once again. We’ll call this IAM 2.0.

Fast forward to the present. Check out the Verizon data breach report for 2012. Data breaches have gone up exponentially over the last three years, but companies are finding out about their own breaches through IAG (access reviews) less than one percent of the time. Less than one percent! Companies spend millions of dollars doing access reviews (which they are legally bound to do, while at the mercy of auditors who can influence their share prices) and they still catch less than one percent of the breaches!

The game has changed again, folks. It's no longer the disgruntled employee stealing proprietary information you have to worry about. These breaches are well-funded industrial espionage that are extremely sophisticated. Regardless, IAM is not dead. The idea of securing the enterprise is dead. CISOs are coming to the realization that bad guys are not only going to get in – they’re already in, and lying in wait.

Do you know about the largest non-nuclear explosion in human history that happened in 1982? What about Russia's 2008 cyber attack on Georgia that started weeks before the conventional invasion, Stuxnet in 2010 and the RSA breach in 2011.The pace is quickening.

Earlier this year, US Department of Homeland Security announced that "Hackers had successfully penetrated the networks of several natural gas pipeline operators."  This went undetected for months...Did you read about the largest non-nuclear event?”

Forward thinking folks like John Sanio, Director, Security Architecture, Canadian Division IS Risk Management at Manulife Financial, are moving ahead with "proactive attestation” because it's ridiculous to wait 3-12 months just to start looking for bad stuff that you know is already there. And there's so much more to do in real time. Provisioning and attestations aren’t going away, but the attack vectors have changed and so have the stakes. We, as an industry, need to up our game dramatically.

Welcome to the third wave. This one is really important – it’s a national security issue. We better get it right.

Tags: IAM, Courion, access governance, access risk, data breach, IAG, identity and access governance, security, identity and access management, Sully, Access Risk Management