Stop Misuse of Privileged Accounts: Identity Analytics with UEBA

Misused privileged accounts continue to be a leading attack vector for some of the largest and most infamous data breaches and cyber-attacks. In fact, Forrester Research estimates that at least 80% of data breaches have a connection to compromised privileged credentials, such as passwords, tokens, keys, and certificates.[1]

Insiders with access to privileged accounts – the kind of accounts typically used by system administrators and business super users – pose a threat as well. The 2023 Insider Threat Report surveyed over 326 cybersecurity professionals to reveal the latest trends and challenges facing organizations in this changing environment.

With access to even one privileged account, an intruder can find and steal valuable data, modify system configuration settings, and install and run programs. And it only takes one hijacked privileged account to snowball into a data breach disaster.

PAM Leaves Gaps in Coverage

Privileged Access Management (PAM) tools have been available for years to address this problem. The premise of these tools is to create a virtual vault where temporary passwords for accounts with heightened access privileges are stored. Any person needing access to one of these accounts checks into the vault, gets authenticated, and is issued a one-time password that allows the user to do their job for a period of time. Once that work is done, the password expires and the account is locked until the user goes through the password request process again. PAM tracks who uses the account, and when.

In theory, this is an effective approach to control the use of privileged accounts. In reality, not so much.

PAM provides only two control points that users can rely on. One is that all of an enterprise’s privileged accounts are in the vault. The other is that people who are authorized to use an account and password don’t abuse that privilege by doing things they shouldn’t be doing. Let’s look at the shortcomings of those assumptions that lead to weak controls.

Assumption: All privileged accounts are in the vault. The fact is most large enterprises have so many user accounts with heightened privileges that they don’t even know about all of them. Many accounts were over-privileged to begin with and they have long been forgotten. PAM doesn’t provide the means to do a deep discovery on all the access permissions that user accounts have, so no one can be sure that all of an enterprise’s privileged accounts get locked into the vault.

Assumption: Privileged users don’t abuse their accounts. This is the complete antithesis of what bad actors actually do. Their whole purpose for obtaining access to a privileged account is to abuse it for their own malicious purposes. The problem with PAM is that it doesn’t closely monitor what a user does from the time they get the password out of the vault until the time it expires. There are no controls of how the account is actually used.

Gurucul plugs these gaps with our Identity Analytics and User & Entity Behavior Analytics (UEBA) products.

The Gurucul One-Two Combination of Identity Analytics and Behavioral Analysis

The first step is to use Gurucul Identity Analytics to do discovery of the entire environment and come up with a complete accounting of privileged accounts and entitlements, including where administrative rights were provisioned without accountability. Gurucul has the ability to discover normal accounts that have hidden privileged access entitlements, as well as accounts for cloud platforms where the solution digs down to the microservices level to see who has access to what services and how that access is being used. The result of this discovery process is privileged access intelligence at the entitlement level.

Once all accounts with heightened permissions are identified, an organization can take the opportunity to retract permissions where they are not needed. Ideally this will leave fewer privileged accounts to manage and protect.

It’s important to remember that each of these privileged accounts is assigned to a specific person in the organization – an identity – and every identity has more than 250 attributes that are tracked by Gurucul. We’ll get to the importance of this in a moment.

Now, having identified all the privileged accounts, the next step is to use the intelligence from the discovery process to manage, monitor and control privileged access using UEBA. UEBA security involves keeping track of what users are doing – particularly those with elevated privileges – and looking for behaviors that are outside the range of normal activities.

A very effective approach to managing privileged user access is to combine UEBA security with in-depth intelligence about a user’s identity attributes and the privileges he has on the network. In other words, what a person does vis à vis what he is permitted to do.

This approach involves analyzing the access rights and entitlements a person has; the activities he has been performing both now and in the past, even across multiple accounts; and the typical activities that members of his peer groups are doing. It takes a combination of the right data sources, sophisticated machine learning, and perceptive data science to pinpoint truly aberrant actions that are good indicators of misuse of assigned privileges.

UEBA security assigns a risk score to these aberrant behaviors. The risk score can be used to support decision-making as to what action to take, if any. For example, if the score is high, then the account can be temporarily suspended from performing any other tasks.

Using the calculated risk score, Gurucul can work in conjunction with Security Orchestration, Automation and Response (SOAR) tools to automate remediation steps. Without any human intervention, remediation can take place in real-time to prevent harm to the organization.

Examples of the Solution in Use

Let’s look at two examples of how this works. The first case is a legitimate insider, a database administrator whose job requires her to backup company databases containing sensitive customer information on a regular basis. Her privileged login account gives her the necessary access permissions. For months she logs in regularly and performs the tasks to create the backups. Then one day she gets a poor performance review and is told she is on notice for losing her job if she gets another bad review. She decides to get revenge by making a copy of the database, sending it to her private storage account, and then corrupting the production database.

She logs in as usual and issues a command to copy the database, which is normal given her duties to creates backups. Then she attempts to send a copy of the file to her external Dropbox account. Gurucul detects right away that this is anomalous and high risk behavior for this person and, through a SOAR tool, prevents the data from being exfiltrated through Dropbox and drops account connectivity immediately.

In a second example, an external bad actor logs into the network using credentials harvested through a previous phishing campaign. These credentials belong to a line of business manager at the company whose position gives him permission to access personnel records. The attacker uses this access to attempt to move around the network to find financial information. It’s out of character for the legitimate owner of the credentials to make such movements in the network and UEBA security determines the behavior to be somewhat risky. Following multiple attempts to move laterally around the network, the risk score goes to a high level, triggering an automated action to suspend the user’s account and alerting someone to investigate.


Privileged accounts are at the root of so many breaches and cyber-attacks. They require extra safeguards that include continuous monitoring of how they are being used and determining if those actions are appropriate. This is the only way to stop misuse of privileged accounts in real-time.

[1] Andras Cser, Forrester Research Inc., “The Forrester Wave™: Privileged Identity Management,” November 14, 2018