Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016


A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"


You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.


The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.


Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.


All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?


With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.


For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 


Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?


It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.


Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.


Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

How Intelligence Enhances Your Cyber Security

Posted by Emily Turner- Product Owner, Access Insight on Thu, May 05, 2016

If you are reading this blog, you most likely understand the benefits of adding identity and access management (IAM) solutions to your business. However, what if you could make that solution better, faster, and help you become proactive instead of reactive? You can! Just add intelligence.

Adding intelligence to your IAM solution can turn complex data into actionable information and find trouble spots, as well as high risk areas. It can compare across roles and with peers, as well as investigate high-risk individuals, groups, and situations. 

Adding Intelligence

By connecting with an organization's applications and collecting information, IIAM solutions continuously monitor information about identities and collect data related to resources (including applications, databases, and files), access rights, access policies, and user activities such as creating accounts and logging on to applications.

This information, which may amount to gigabytes or terabytes of data, is organized in a data warehouse, as seen in Figure 1. Identity and Access Intelligence (IAI) is applied and analyzes the identity and access data using advanced analytic tools to perform data mining, statistical analysis, data visualization, and predictive analytics.

1.pngFigure 1: Data Dissemination capabilities when using IAM 

These data analysis tools aren't generic. They draw on IAM­ specific policies, rules, and risk indicators to provide information of immediate value to IAM administrators, analysts, compliance officers, and incident responders.

An Intelligent IAM solution provides the following:

  • Reports and graphics showing IAM activities and risk factors
  • Notifications and alerts about policy violations and suspicious event Can we show alert screen?
  • "Micro-certifications" triggered by questionable activities and events
  • Automatic remediation , such as removing entitlements and disabling administrator accounts obtained without approval
  • Risk scores that can be shared with provisioning systems and other applications (for example, a score that can be used to determine if special approvals are needed for a provisioning request)
  • Ad-hoc reports and analyses, created by analysts to explore specific issues and risks

These capabilities allow Intelligent IAM solutions to help organizations overcome the governance gap, the complexity gap, and the context gap.

Rapid Response: Turn Complex Data into Actionable Information

An Intelligent IAM solution should not only be able to monitor key data continuously, but also it should provide a flexible range of options for rapid response and remediation. In most cases, the appropriate  option  is a notification  or alert  to a  staff member who  can investigate  and  determine whether  or not the alert represents an issue that requires follow-up. 

In other cases, a specific action should be triggered, such as a micro-certification, or even automatic remediation. In all cases, the solution should not only provide notification of a possible violation or issue, but also it should provide related data, and  if possible recommended actions to make it easier to address the situation. The solution can also improve security analysis and risk management.

                                              Finding Trouble Spots and High Risk Areas

Privg_accts.pngAn Intelligent IAM solution can pinpoint trouble spots, weak points, and quickly answer key questions such as the following: 

  • Which accounts have the most privileged entitlements and haven't reset a password in hundreds of days?
  • Which individuals have the highest number of access rights when compared to peers?
  • Which business units have the most orphan accounts?

An Intelligent IAM solution can provide answers to questions in seconds, helping security and IAM analysts to:

  • Quickly detect potential indicators of attacks and security breaches (for example, a user account receives privileged access directly to a target application)
  • Focus their efforts on high-risk situations (f or example, accounts with many privileged entitlements that haven’t reset their passwords in over 90 days -check out Figure 2-3)

 Comparisons across Roles and with Peers

An IAM solution can correlate data to compare users with others in the same role, or with any individual in the organization who might provide a useful benchmark. Analysts, business managers, and resource owners can answer questions like “Does John Smith have more access rights than other financial analysts?" and "How do the access rights available to John Smith compare with those of Jane Jones and William Brown?"

These comparisons are extremely useful for assessing new access requests from individuals, for identifying excessive rights that accumulate when people move through different positions, and for highlighting outliers that may indicate a process problem or a misbehaving user.

Comparisons with peers also have the advantage of giving enterprises a way to identify elevated access (and risk) with­ out the expense of a major initiative to define and manage roles.

Investigating High-Risk Individuals, Groups, and Situations

With an intelligent IAM solution, you can investigate and analyze high-risk individuals, groups, and situations, as well as compliance violations. This process makes it easier to answer questions like the following:

  • Are there domain administrator accounts whose pass­ words have never been changed?
  • Which non-sales systems has this salesperson been accessing?orphaned_accounts.png
  • Is anybody accessing patient medical information with­ out a genuine "need to know"?
  • Which accounts with at least five entitlements haven't been used in more than 30 days?
  • Does this account have a suspicious number of privileged entitlements?
  • Should part-time employees receive all the access rights they are routinely granted?
  • Do contractors continue to access resources after their projects end?
  • Are system administrators routinely assigned rights they don't need to perform their jobs?
  • Does this business unit have an abnormal number of accounts with unnecessary entitlements (that is, access rights that have never been used)?


IAM_dummies_300x250.pngCan your Identity and Access Management solution do all of this? With Access Insight 9.0 it can! Access Insight 9.0 is Courion’s newest intelligence tool works with Courion’s IAM solution, another vendor’s or even when no IAM solution is present to help you make sense of your complex access relationships. 

Want more information on how intelligence improves IAM? Download our eBook “Intelligent IAM for Dummies” or schedule a demoof Access Insight 9.0 for your orgaization and learn how you can get the most out of your complex data. 


Tags: Access Insight, IAM, access risk, intelligent IAM, IIAM

What's New in Access Insight 9.0?

Posted by Emily Turner- Product Owner, Access Insight on Tue, May 03, 2016


Businesses in all industries need to manage the exploding universe of identities, devices and data employees require to do their jobs. To help make sense of the trillions of relationships, today Courion releases Access Insight 9.0.

Access Insight identifies the risk associated with any misalignment between users and their access within your organization and drives provisioning and governance controls to manage that risk. Specifically designed to answer the critical questions “Who has access to what resources?” and “Have they been given the right level of access?” Access Insight provides IT security, compliance, business and risk professionals with the data and tools they need to successfully deal with these complex challenges.

How does Access Insight 9.0 Work?

Access Insight provides a comprehensive, continuous view and analysis of the trillions of relationships between orphaned_accounts.pngidentities, access rights, policies, resources and activities across a multitude of enterprise systems and resources. Access Insight:

  • Works with Courion’s industry-leading portfolio of IAM solutions, or in conjunction with other IAM solutions to identify potential risks to the business, so you can quickly modify access as needed.
  • Is platform agnostic, and integrates with virtually any data source and commonly used IAM and/or security management application (e.g., SIEM, DLP, AD and others).
  • Enables you to easily configure policies that align with your organization’s corporate and regulatory policies – alerting you to intentional or unintentional violations.

The Access Analytics Engine

Access Insight 9.0 boasts a new analytics engine based on the Privg_accts.pngtechnology Courion acquired from Bay 31 in 2015. This engine enables companies to analyze complex data at significant scale with incredible speed. Access Insight pulls large amounts of identity and access data in continuously, and stores this in its proprietary in-memory access analytics engine. The “engine” correlates identity and access relationships to identify and prioritize risks, surfacing all deeply nested relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current or historical perspective in lines of business, governance, operations and applications.

How it Works:

  • A business-friendly dashboard offers a variety of graphical displays and interactive interfaces, so that an organization’s access-related risks and risk levels can be easily viewed by line of-business managers and authorized users.
  • The access analytics engine continuously gathers and synchronizes an organization’s IAM and IAG information from multiple sources to compile a complete picture of an organization’s identities, access rights, resources and activity.
  • Automated data collection increases operational efficiency and reduces operational costs by eliminating labor-intensive IAM processes and drawn out efforts to demonstrate compliance.
  • Continuous governance and automated policy management provides the ability to automatically evaluate and act upon risks associated with users’ access and activities in accordance with an organization’s corporate controls and government regulations, enabling you to proactively create and enforce policies.access_explorer.png
  • Automated notifications alert you to changes and non-adherence to your organization’s corporate and regulatory policies; notify you of any conflicts and enable the swift assessment of risk level so appropriate action can be taken immediately allowing you to continuously maintain compliance.
  • Remediation controls automatically identify and remediate improper access, including intentional and malicious changes to user access that could harm your organization, as well as unintended changes to access.
  • Access analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. Changes in normal access activity patterns may be a signal of dishonest or malicious behavior. Quickly identify unused or obsolete access entitlements.
  • Drill-down capability allows you to further investigate details for potential threats and resolve risks immediately.

To learn more about Access Insight 9.0, view our datasheetor request a demo with one of our solutions consultants.

Tags: Access Insight, access risk, intelligent IAM, IIAM, intelligent identity and access management

What is Vulnerability and Access Risk Management?

Posted by Felicia Thomas on Thu, Mar 03, 2016

Threat intelligence is a company’s worst nightmare which pushes cyber security and risk management to the top of the list for standard operating procedures (SOP). Traditional risk management is a thing of the past, and corporations have begun investing in top-notch security solutions for their various databases. Although no solution will ever be 100% capable of preventing attacks, there are solutions that can help provide roadblocks to deter these occurrences. With proper detection solutions, a company becomes proactive—rather than reactive—to fight against vulnerabilities that exist in their systems.

Large organizations are riddled with increasing threats to their system infrastructures and customer data. TheiStock_000065499107_Full.jpg vast majority have moved into protecting these assets with Identity and Access Risk Management (IAM). An emphasis on compliant provisioning of users, identifying management of roles, the maintenance of compliant roles, and processes to manage segregation of duties (SoD) are the focuses of this type of management tool. However, in some cases, the traditional IAM solution is not enough protection against threats.

Many large corporations want an automated, rules-driven solution that can provide quick remediation around network access controls. However, before an attack occurs and remediation can begin, there is the challenge of anomalous activity detection from the infrastructure level. To help with this detection, many companies have instituted consistent monitoring by scanning the system for potential threats to safeguard their infrastructures.

Dynamic provisioning capabilities through IAM, and the proper protection to deter attacks from the infrastructure level with vulnerability management, can position a corporation to achieve the best level of protection possible. This introduces the concept of the acronym VARM – Vulnerability and Access Risk Management. It’s not just the first line of defense; it’s a complete, end-to-end solution that will break the “kill chain” from system threats within the enterprise.


Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access risk management suite, IAM, access risk, intelligent IAM, identity and access management, Access Risk Management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

9 Things to Look For in an Intelligent Identity and Access Management System

Posted by Ashley Sims - Marketing Manager on Thu, Jan 28, 2016

Do you know what to look for in an Intelligent Identity and Access Management system? Let us help with today's checklist of 9 essential items for IIAM. 


Tags: Courion, intelligent IAM, IIAM, intelligent identity and access governance, intelligent identity and access management

What is Intelligent Identity and Access Management?

Posted by Jay Mecredy on Thu, Jan 21, 2016


What is Intelligent IAM?

Intelligent IAM (IIAM) encompasses all the administrative processes used in Identity and Access Management (IAM), but the processes are influenced by real‐time data. IAM solutions that use intelligence continuously collect, monitor, and analyze large volumes of identity and access‐related information, combining data not only from provisioning and governance Dummies_book.pngsolutions but also from security products and other external systems. IIAM solutions are often designed to be used with a provisioning system, a governance system, or both.

  •  IIAM solutions, which include integrated identity analytics and intelligence (IAI), help find key information hidden in complexity and provide visibility into context and comparative data. These solutions may help organizations. 
  • Avoid security breaches by continuously monitoring for policy violations and vulnerabilities and by uncovering problems hidden in large volumes of data
  • Strengthen risk management by reducing vulnerabilities immediately and by highlighting individuals and resources associated with high risks
  • Continuously improve provisioning, governance, and other IAM processes by focusing attention on weak links and ineffective processes
  • Improve the productivity of IT staffs by giving them tools to quickly and reliably conduct analyses, find patterns, identify anomalies, and spot trends


Why Is Traditional IAM No Longer Enough?

Until recently, traditional IAM encompassed only provisioning and governance products needed to evaluate or audit access to confirm that the access provided is in compliance with business policies and external governance regulations.

Some examples of traditional IAM functionality include the following:

  • Provisioning solutions automate the granting and revocation of access to applications, IT systems, and services; tangible assets such as laptops, smartphones, and security badges; and intangible entitlements such as access to secure areas.
  • Governance solutions provide tools to enable compliance with government regulations, industry standards, and organization policies, and to verify that compliance.
  • IAM solutions have helped organizations automate operations, reduce manpower needs, simplify audits, and provide users with access to the applications and resources they need. Yet traditional IAM processes are far from perfect.

IIAM_Graph.pngOrganizations are still challenged by issues such as lingering abandoned accounts for users no longer affiliated with the organization, proliferating orphaned accounts with no administrative oversight, people with inappropriate access to data, and policy violations. These challenges increase the level of risk to the organization.



In Figure 1-1 (right), you can see the impact abandoned accounts have on your organizations. With so many accounts left with no owner, you greatly increase your risk of a breach.





Is Intelligent Identity and Access Management (IIAM) for you? Read more about how you can use IIAM in your business to turn big data into actionable information by downloading IIAM for Dummies today! 


Tags: IAM, Identity and access intelligence, intelligent IAM, identity and access management, intelligent identity and access governance

Better Together: Courion and Core Security

Posted by Chris Sullivan - GM, Intelligence/Analytics on Wed, Dec 16, 2015

Courion + Core Security FAQ
By Ray Suarez, Core Security and Chris "Sully" Sullivan, Courion

A lot of folks have been asking why we made this acquisition. The reality is, this is a merger of two market leaders expanding their products to offer something never before seen in the cyber-security space. So to build on and explain this thought, we wanted to do a little Q&A to answer some of your questions.

Ray:  Sully, why do organizations do Identity, Governance and Administration (IGA)?  Better_together_1.jpg
Sully:  To manage access to information and processes.

You can buzz it up by talking about threat surface and risk but you are simply protecting card data, IP (your crown jewels) or the ability to prevent unintended transfer of large sums.

Sully:  Why do organizations do Vulnerability Management (VM)?
Ray: To manage access to information and processes.

So let’s see, they are both solving the same problem. VM protects you up to the identity, and IGA from the identity to the process or information. Each area has tools, control processes and teams to do the work.

But our adversaries don’t partition their work this way. Consider the Target breach attack path. It was HVAC vendor account (IGA) -VPN (VM) - BMC_user1 account (IGA) - C&C server (VM), - payment systems network firewall (VM) – dev, sw distribution, exfil servers (VM). Our adversaries move quickly between the VM and IGA world and hide in the cracks between them.

Now Courion has long been an IGA market leader and is specifically recognized for customer sat and delivering on the promise of intelligence. We use a property graph (I know too techie but it’s necessary to solve the scale problems) to give you a comprehensive view of your logical access. That’s person, to accounts, to permissions and sub-permissions and roles and sub-roles and sub-sub-sub.. In a mid-sized company, that’s billions of changing security permutations – even the best security experts can’t visualize that complexity. Our analytics let you really understand what’s important so you know what you are requesting, reviewing, approving instead of just pretending that you do.

better_together_2.pngAnd Core Security has long been the VM market leader and is specifically recognized for unraveling the complex permutations of vulnerabilities that could lead to a breach of critical assets by an attacker. Courion also uses a property graph to give you a comprehensive view of the layered infrastructure and understand what’s important. That’s network, client, web, wireless and mobile.

Now imagine what would happen if you connected those two worlds with all that domain expertise and IP.  For example a blind person will perfect their listening skills to compensate for their disability and a hearing impaired person will perfect visual observation. If we could combine each of these improved senses, it would provide clarity that us normal folk might not even think possible.

Don’t believe us? Hear what some of the industry experts have to say here

2 more questions…

1. Why does InfoSec exist? To manage access to information and processes.

   2. Why Courion + Core Security? Because it was the only sensible thing to do.

Welcome to Courion + Core Security, the only security company that can continuously and comprehensively mange access to your information and processes.

Did we miss anything? We are building a new world so if you have any questions or just want to discuss things, please let us know in the comments. 


Tags: IAM, Courion, cyber security, intelligent IAM, IAG, identity and access governance, core security, vulnerability management, VRM, vulnerability risk management

Detect, Deter, and Remediate Breaches

Posted by Ashley Sims - Marketing Manager on Thu, Dec 10, 2015

This week has been a whirlwind for everyone at Courion. On Wednesday we announced a new acquisition and launched a new website. Both pretty "wow" factors if you ask me but there was another event that took place on Tuesday that you may have missed. 

For those of you who didn't have the chance to make it out to Vegas for the Gartner IAM Summit and listen to two of our amazing thought leaders speak, we wanted to share their presentation. 

Venkat Rajaji, VP, Product Management/Marketing and Chris Sullivan, GM, Intelligence/Analytics share their thoughts on how companies can detect, deter and remediate breaches and other cyber risks through Intelligent Identity and Access Governance Solutions. 

Click here to get a copy of "Intelligent Identity and Access Governance - Deter, Detect, and Remediate Breaches Before Business Loss". 



Tags: intelligent IAM, access intelligence, intelligent identity and access governance

4 Things CISO's Are Thankful For

Posted by Ashley Sims - Marketing Manager on Thu, Nov 12, 2015

Tags: cybersecurity, intelligent IAM, intelligent, password management, CISO, password

The Walking Dead: How to Find Zombie Accounts in Your Network

Posted by Chelsea Herring- Sales Operations Analyst on Thu, Oct 29, 2015

Living in Atlanta, I get my fair share of zombies. The popular television show “The Walking Dead” was actually filmed on Georgia State’s campus downtown and features several Atlanta landmarks. We have the Centers for Disease control who (hopefully jokingly) has a zombie preparedness plan.  We even have a zombie walk each year
around this time where anyone who wants to get in on the madness can dress as a zombie and stagger around town. While zombies may be popular when it comes to fictional T.V. shows or once a year costumes, they are a real and ongoing problem when it comes to your IT security.

Zombie accounts, also known as abandoned accounts, are user accounts left with no verifiable owner. This happens most often when someone leaves your company and their access to a certain application is never terminated. In a perfect world, the person that leaves you would never try and get back into your system for any reason. However, our world is not perfect. Instead, we have rogue players who can create or hide these accounts in your system for nefarious reasons. There are also hackers who are stealing user credentials from all over the world and trying to use them to get into your system. If your employees have the same password at their bank that was just breached and your hospital EHR system, then the hackers are already in. 

The solution sounds simple, almost as if you can’t believe people don’t terminate access immediately after someone leaves, but it happens all the time. For example, let’s think about a hospital with 200 doctors, 400 nurses, and 300 members of the support staff. Each nurse needs access to the email, EHR system, file share system, and the patient portal. Except for the nurses that also work with insurance, they need to get into that system. Oh and the nurse that worked on the floor for a month before transferring to the ER; she is gone now but did we ever shut off her floor access?

Have you had a layoff or have a seasonal business where employees are leaving at once? What about interns or contractors?   The rise of zombie accounts isn’t like something out of the movies, it is as simple as any of the examples above. With so many users in your system, without an automated process you can’t see who is signing into these accounts or monitor their usage in real time. Leaving these accounts open increases your threat surface and the likelihood that you will be breached.

So how do you stop zombie accounts from happening? On T.V. it’s as easy as a single shot to the head. In the real world, that silver bullet is called intelligence. With a manual system full of spreadsheets, you have to be able to comb through each of them, hoping that their manager didn’t miss anything. In an organization with only ten people, this method might be feasible. However, in an organization with hundreds or thousands of employees, a manual system doesn’t give you the insight that you need when you need it.

With an intelligent IAM system you will be able to de-provision accounts automatically. No spreadsheets to look through, just the click of a button once an employee leaves and all of their access rights are shut down immediately. Intelligence in IAM also allows you to see into your system at any time with real-time monitoring tools. What your system looks like now versus five minutes from now will be completely different, and you have to be able to see into your system to ensure that no one is abusing their access.

You can’t fix what you can’t see. If you can’t see zombie accounts staggering through your network then how will you know they are there? Or if they are being controlled by a hacker who is quietly siphoning off data to use against you. You need an intelligent IAM solution to help stop zombie attacks and any other insider threat your system may face.

Have you had success in ridding your network of zombies? Let us know in the comments!

Ready to start your own Zombie Preparedness Kit? With a quick scan of your system we can show you:

  • Where your zombie accounts may be lurking
  • How you can improve operational efficiencies 
  • How you can reduce the threat of zombie accounts  
  • How to drive your IT costs down.

Start My Quick-Scan


Tags: cybersecurity, IAM, IAM in the cloud, Zombie Accounts, intelligent IAM, Cyberattack