Privileged accounts are targeted by cyber criminals because they provide the keys to the kingdom – literally. Attackers need privilege to gain access to systems with sensitive data, install malware, exfiltrate data, and take control of systems and devices. Getting privileged access is the entire point of corporate hacking attempts. A prime use case of User and Entity Behavior Analytics (UEBA) is detecting and preventing privileged access abuse. This could be an attacker accessing high value systems with a compromised account or a privileged user abusing their existing access. Either way, monitoring the behavior of privileged accounts and users is key to keeping these high value assets secure.

But I Have a PIM/PAM for That…

You may have a Privileged Identity Management (PIM) or Privileged Access Management (PAM) system, which vaults privileged accounts and require a check-out/check-in workflow for administrators. These are excellent controls, but how can you monitor what privileged users are doing with these accounts once they have been checked out of the vault? Even if the PIM/PAM solution comes with session monitoring, the additional hardware and management oversight to tackle hours of session recordings limits your ability to catch privileged access abuse in real-time. Session management solutions are great for searching and viewing recordings of administrative actions after-the-fact, but by then it’s too late.

UEBA leverages machine learning models on big data to monitor users and entities in real-time and tell you what is happening with privileged accounts outside of the vault. Gurucul UEBA provides a single unified risk score for every user and entity in the network generated from unlimited structured and unstructured data sources inclusive of systems, applications, and devices. This is vastly more effective for pinpointing corrupt behavior than the siloed analytics offered by some PIM/PAM products. You need to analyze and risk score all of the activities of users and entities across the entire network to see the full picture and get to the truth.

Privileged Access Abuse: The Insider Threat on Steroids

Malicious insiders can devastate your corporate data, intellectual property, and ultimately your business. The worst insider threats are privileged users who abuse their administrative access. These are the employees you trust to control and run your infrastructure and operations. When they choose to defraud your organization, the damages can be devastating.

Gurucul UEBA enables you to monitor privileged users and privileged accounts so you can detect risky and anomalous behavior. The difficulty here is that privileged users may perform potentially risky actions as part of their job, so how can you tell when their behavior is malicious? Machine learning is a wonderful technology for this very use case.

Baseline Me, Please

It all starts with baselining user and entity behavior. In the case of privileged users, even though they have administrative access to any number of assets and applications, there is always the concept of need to know or need to access. Just because they have administrative access, should they use it? Should your SharePoint administrator view sensitive documents like offer letters that may be stored in an HR folder? Obviously not. So, how do you stop high privilege users from abusing their access?

To stop privileged users from viewing and stealing data or IP, you need to baseline their behavior so specifically that any deviation raises a red flag – or in Gurucul’s case, the user’s risk score. By leveraging the combination of accounts, access, and activity data, Gurucul UEBA can identify high privileged access (HPA) abuse.

Gurucul ingests activity data from enterprise level audit or log sources (e.g., SIEM or log aggregators) or obtains it directly from the target data sources. Once HPA accounts are identified, UEBA can detect suspicious behavior and misuse such as: using HPA to assign special or elevated privileges to the user’s own account followed by an activity. It can detect transactions happening outside the window of a privileged account password check-out and check-in timeframe. It identifies when privileged users access resources and execute transactions outside normal behavior profiles, abnormally access classified or sensitive documents, or execute multiple concurrent sessions from the same account, different IPs, devices, locations, etc.

Gurucul UEBA can catch system administrators in the act of elevating their own or others account privileges in the cloud and identify where they are misusing those privileges. It can catch Google G-Suite administrators who create accounts, elevate privileges, and make company documents public so they are available for download by anyone from anywhere.

Gurucul UEBA can identify and send alerts when system administrators are discovered running non-approved applications. Gurucul UEBA examines and classifies web traffic. When a non-approved application is being run by an unauthorized user account, the event is flagged.  If desired, an alert can be sent. In this way, Gurucul UEBA can quickly detect when a system administrator is running a non-approved application. It can alert your investigative team to initiate action to prevent possible damage to critical company data assets.

Use Case: Confidential Salary Information Compromised

A contract payroll database administrator had access to view salary tables for employees. He used his access to look at pay rates, specifically those of his friends and teammates.

Although the contractor was prohibited from performing this unsanctioned behavior, he did so since he thought his activity was unmonitored. Well, surprise – he thought wrong. His activity was being monitored with Gurucul UEBA. This compromise was caught as an anomalous run of a “select *” query. This kind of disruptive privileged access abuse is all too frequent yet easily caught with the right technology. Side note: make sure you add third party contractors to the list of privileged users you need to monitor.

Are You Entitled to Privileged Access?

UEBA is excellent at monitoring user and entity activity and transaction logs. Identity Analytics looks at access and entitlement logs. Adding Identity Analytics to the mix provides unprecedented visibility into privileged access risks. Managing privileged access effectively originates with privileged access discovery at the entitlement level, not at the account level. This is where data science and machine learning prove invaluable. With these advanced technologies, cybersecurity teams can discover who has privileged access with privileged entitlements that may have escalated after provisioning or exist within applications and unstructured data. This enables security leaders to manage, monitor and control privileged access with optimal effectiveness and reduced risk.

Left unchecked, excess privileged access creates an unwieldy threat landscape. Understanding where privileged accounts are, how to restrict these privileges, and how to monitor access to them is critical. Gurucul can help. Contact us for more information. Let us show you why UEBA powered by machine learning is such a game changer.

Prev: ABCs of UEBA: O is for OUTLIER Next: ABCs of UEBA: Q is for Qualitative Analysis