Saryu Nayyar | Forbes.com »
Many of the largest and most infamous data breaches of recent years have a common root cause. Cyberattackers have exploited poorly secured privileged user accounts to steal or corrupt sensitive data, plant malware or execute some other nefarious deed. Bad actors take advantage of heightened permissions to move through the network to get to the systems and data they seek for their malicious purposes.
The threat goes beyond external cybercriminals. Organizations also are at risk internally. As cited in Cybersecurity Insiders’ 2020 Insider Threat Report, the majority (63%) of IT workers believe users with internal privileges pose the most risk.
Privileged accounts typically belong to IT administrators and business super users, who, by virtue of the account permissions, hold the keys to the organization’s crown jewels. They are able to create accounts for others, read and modify important data, install and run software programs, change system configurations and, in the case of a business manager or executive, authorize restricted activities such as issuing payments for invoices.
These types of accounts are often targeted by cybercriminals for harvesting in phishing attacks, and just one breached account can cause disaster.
Legacy PAM Solutions Have Shortcomings
Privileged accounts pose a high risk for every organization. A Forrester Research study found that 80% of data breaches stemmed from misuse of privileged account access.
Unfortunately, many user accounts are overly privileged and should not be so. A basic tenet of cybersecurity is the principle of assigning the least possible privilege to every account and escalating only those that have a true need.
A traditional approach to safeguarding important accounts is to use privileged access management, or PAM. A PAM tool stores keys to the privileged accounts in a virtual vault. A legitimate user of this type of account goes to the vault, requests a key (a temporary password) and is permitted to use the privileged account for a period of time. When access is no longer needed, the key is returned to the vault, and without it, the user is no longer able to perform the privileged tasks.
PAM tracks who uses the accounts — and when. In theory, this is a helpful approach to secure the special accounts but there are several shortcomings.
For one thing, this approach assumes that all privileged accounts are stored in the vault. In reality, large enterprises have so many privileged accounts that they have lost track of them; they don’t know who can access these powerful accounts or when. PAM doesn’t provide the means to discover unknown privileged accounts in the enterprise, leaving many accounts to escape PAM’s purview.
A second shortcoming is PAM’s lack of continuous monitoring of what the privileged accounts are actually doing. This approach assumes privileged users only do what they are expected to do and nothing more. What if a database administrator whose job role requires doing data backups is also illicitly downloading customer data to sell on the dark web? PAM doesn’t analyze user behaviors to determine if they are out of bounds or not.
What’s Needed: Discovery Followed By Continuous Monitoring
To reduce the risk of abused privileged credentials, you must do complete discovery of every account with heightened access privileges, then continuously monitor their use.
As a practical matter, many newly discovered accounts can probably be stripped of their privileged status. For the remaining accounts that serve a legitimate purpose, the actual behavior of those accounts must be closely monitored throughout the entire time they are in use.
The discovery process can’t be based on anything as simplistic (and unreliable) as account naming conventions or group assignments in an identity management system. Discovery needs to look deep into the actual permissions of what each account can do. For a large enterprise, this requires the thoroughness of account scans using machine learning to uncover every permission allotted to a specific account, even down to the microservice level.
Once all privileged accounts are discovered, they must be continuously monitored in how they are used (i.e., the users’ behaviors). Again, machine learning with anomaly detection can determine when an account user — insider or outsider — is performing some activity that is considered to be outside the bounds of normal or appropriate behavior for that account and its peer group. From there, a risk score can be calculated to raise an alert as to whether the activity is considered to be high, medium or low risk.
Going one step further, automated remediation using a security orchestration, automation and response (SOAR) tool can be set up to quickly take action if the risk score is high. For example, without human intervention, the user’s account can be automatically disconnected from the network to prevent further malicious activity.
Continuing with the earlier example of the database administrator, this person has a legitimate right to access the customer database. Doing so is completely normal behavior. However, if the person makes a copy of the data and attempts to send it to Dropbox, this is very different behavior than what is normally done — by that person as well as by all other database administrators at the company. With continuous monitoring, this activity is quickly identified as unusual and scored for risk level.
Cloud Accounts Must Be Monitored, Too
As companies now have more applications and workloads in the cloud than they have on-premises, it’s critical that any privileged account management solution work across cloud accounts as well. There are a few products that are cloud-native and analytics-driven that can actually understand identity and report on how privileged account access is being used in the cloud. Legacy PAM solutions don’t have this ability, leaving a large portion of an enterprise’s accounts unmonitored and unmanaged.
Privileged accounts — for on-premises, cloud-based or hybrid systems — hold the keys to the kingdom. They must be monitored continuously for any behavior that appears risky to the business and stopped in real time before damage is done.
External Link: How To Stop Risky Activity On Privileged Accounts