Why Incident Response Needs Identity Management


In our last post, we discussed the importance of incident response in minimizing the cost of a data breach. Costs rise the longer it takes to identify a security event and mitigate the damage. An incident response plan creates a detailed process that speeds detection and resolution.

Identification of an incident is not as straightforward as you might think. Security devices, network gear, and computer systems are constantly generating logs and alerts, many of which could point to a security event worth investigating. Amid all the “noise,” it’s difficult to separate the truly suspicious activity from the false positives.

If an incident response team is able to spot a security event in all this data, they have just one piece of the information they need. They might know what happened but not who might be behind it, the extent of that party’s activities, or the potential implications.

That’s why identity management is a key component of incident response. It enables a team to correlate security event data with identity data so they can take action based on the “who” as well as the “what.” The team also has an additional data set that can help them spot patterns they didn’t even know to look for.

Let’s say an incident response team detects unauthorized access to data, and traces that activity to a particular user’s account. We can identify three very different responses to the same event based on the “who” involved. First, a look at the user’s access history might indicate an innocent mistake. In that case, additional training might be in order for that user. A second option comes to mind if the team finds a more sinister pattern of activity that warrants termination of the employee. A third response becomes more likely if the team determines that the user could not possibly have been involved in the activity, suggesting stolen credentials are in play. In that case, the user’s credentials should be changed, and the team might recommend beefing up access controls or implementing two-factor authentication.

As the example demonstrates, the correlation of security events with identity data is crucial in determining incident responses. Such correlation is mandated by many regulatory compliance requirements. For example, Requirement 10 of the Payment Card Industry Data Security Standard (PCI DSS) states that industry members should:

  • 10.1 Establish a process for linking all access to system components to each individual user – especially access done with administrative privileges.
  • 10.2 Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of identification and authentication mechanisms; initialization of the audit logs; creation and deletion of system-level objects.
  • 10.3 Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource.

Sarbanes-Oxley, HIPAA, and other regulations include similar provisions. The authors of these regulations recognized that when event logs are tied to user identities, an incident response team can more quickly dismiss benign events, prioritize actionable events, and make decisions as to how to proceed.

Speed of response will be even more critical when the European Union (EU) General Data Protection Regulation (GDPR) goes into effect in May 2018. Any organizations that control or process data on consumers in the EU will be required to report data breaches within 72 hours or risk facing fines of up to 4 percent of their annual global sales.

Simply correlating log files and security data to identify an event can be an enormous effort. Adding identity data to the mix might seem an insurmountable task. However, it is absolutely essential for incident response and regulatory compliance, helping teams spot unauthorized access attempts, suspicious changes to user accounts, and other activity that might point to a security breach.


For more information about Identity Management, please send us an email at (

Leave a Comment