SOC Insider Threat Security Analytics
Making sure that the right people have the right access to systems and applications is one of the best ways to secure corporate data. That’s Identity and Access Management (IAM). A lot of security budget dollars were poured into IAM solutions in recent years. But, despite the increased spend, companies still struggle with securing access. They particularly struggle with managing privileged accounts – the most powerful accounts on the network. It’s a huge issue, because according to Forrester, 80% of security breaches involve compromised privileged credentials.
To understand the danger that unsecured privileged accounts pose, start by considering what usually occurs during a cyberattack. Hackers penetrate your network via a host of tactics – social engineering, phishing emails, malicious insiders, zero-days, and other methods. Most of these attack vectors can easily bypass conventional cybersecurity tools like firewalls, Intrusion Detection Systems, or traditional SIEMs that are defending mostly against known vulnerabilities. Or, in other words, yesterday’s threats.
Once inside the network, the intruders start looking for ways to increase their access. To do so, they might install remote access kits or key loggers. During this stage of the attack, intruders seek out passwords, SSH keys, certificates, and domain admin hashes. Their objective is to compromise the credentials that will let them escalate their access, achieve lateral movement, and anonymously steal data.
Privileged access is the key element in this process. With access to an unsecured privileged account, an intruder can find and steal sensitive data, alter system configuration settings, and install and run programs.
In most large enterprises, there are so many privileged accounts that IT can’t keep track of all of them or who can access them. The rise of cloud computing and the influx of IoT devices has made the problem even more complex.
Unsecured privileged accounts are a serious security threat that can be abused by a malicious insider or an external cyberattack. In fact, according to Cybersecurity Insiders’ Insider Threat Report, 63% of organizations think that privileged IT users pose the biggest insider security risk That’s not surprising considering that it only takes one hijacked privileged account to snowball into a data breach disaster.
Manually discovering and monitoring every privileged account in a large enterprise is practically impossible. And if you don’t know where something exists, you can’t defend it. But just because you may not know where all your privileged accounts reside, doesn’t mean your adversaries can’t locate them – and exploit them.
A lot of people would assume that their organization’s IAM tool can solve the unsecured privileged accounts problem. They’d be wrong. IAM deals principally with user identities tied to a particular person.
But standard IAM systems don’t manage privileged identities. Unlike user identities, privileged identities are not mapped to an individual. They may be used by many different people. Sometimes humans don’t even use them, like privileged identities that run service accounts. So, essentially, the people using a privileged identity may be different from one moment to the next. Therefore, it’s imperative to understand who has privileged access, and audit what they do with their access.
Many organizations have turned to privileged access management (PAM) solutions to get a handle on the situation. PAM tools are great for managing and securing the credentials that grant access to privileged accounts. However, PAM falls short in one significant area – the ability to manage the increasing amount of privileged entitlements in the enterprise. In fact, through analysis of the data in some of our customer environments, we estimate that more than half of privileged access entitlements exist outside of IAM and PAM solutions (meaning they’re likely to be unknown).
Considering the scale and frequency of the unsecured privileged accounts problem, what can organizations realistically do to lock down their privileged accounts? They need a solution that can both identify vulnerable privileged accounts and the entitlements for these accounts. Despite the rise of IAM and PAM implementations over the past several years there is still a gap between access being granted and knowing what users are actually doing with that access.
Gurucul’s Identity Analytics addresses these gaps through the use of machine learning models that generate risk scores down to the entitlement level. Identity Analytics provides discovery – including privileged entitlements – and delivers visibility, analysis and risk scoring. All of this facilitates remediation of privileged access risks.
Gurucul Identity Analytics can enhance your existing IAM and PAM solutions by providing granularity down to entitlement risk scoring. That’s because its machine learning models can absorb vast sources of information and detect privileged access risks at the entitlement level. Identity Analytics finds your “access outliers” and applies risk scoring to them based on behavior, peers, access, activities and context. This solution facilitates the complete accounting of privileged accounts and entitlements. That includes discovering normal accounts that have hidden privileged access entitlements.
Manual attempts to accomplish this enormous task are exhausting, futile, and leave many unknown access risks. The labeling of accounts as privileged through IAM and PAM is not enough. Organizations need Identity Analytics’ machine-learning models to find unknown privileged access and provide a risk-based approach for securing this access.
