The Reveal Platform
With modern day insider threats on the rise and privileged access (PA) widely acknowledged as a prime target of hackers, customers employing traditional security solutions are recognizing growing challenges: the inability to discover both unknown privileged access and privileged access abuse. These issues translate directly into a broad, unmapped ‘access threat plane’ and a myriad of excess access and access outlier risks. Indeed, some industry experts estimate more than half of privileged access entitlements exist outside traditional access management solutions. These solutions lack a discovery feature to close the gap of what access is provided and what activity that access is being applied to. Many organizations still rely on manual methods to manage privileged accounts and their credentials, with some continuing to use default passwords. Most organizations lack an approval process to even create privileged accounts. Organizations are asking if they can live with these risks given that identity is the new attack vector and the most valuable accounts to be compromised are those provisioned with privileged access.
Privileged access management (PAM) and privileged identity management (PIM) are recognized for delivering a critical and irreplaceable vaulting component of access security and protecting privileged access credentials. Their customers nonetheless are looking to strengthen their solution capabilities to provide the comprehensive security required in the evolving hybrid networks of today. With rapidly evolving conditions in enterprise environments, PAM and PIM are currently unable to fully manage all privileged accounts and entitlements as these solutions lack discovery of hidden or unknown privileged access. This is due in a large part to a dependency on siloed and vaulted inventory lists leaving a growing number of privileged access entitlements unmanaged and unaccounted for. PAM and PIM need a partner capable of providing broad visibility through machine learning discovery they are currently unable to offer. Having the ability to identify and analyze access across all environments, along with the ability to monitor and assess user behavior holistically – empowered by machine learning and drawing from big data – is needed to address this growing challenge.
This whitepaper provides insight into the capabilities of identity analytics (IdA) incorporated with user and entity behavior analytics (UEBA), and PAM/PIM solutions, to form a comprehensive new risk-based security solution set: privileged access analytics (PAA).
Privileged access relates to heightened or empowered user capabilities for interaction with a broad range of systems and infrastructure which includes operating systems (OSs), databases, middleware and applications, network devices, hypervisors, and cloud services. Within the cloud itself this includes infrastructure as a service (IaaS), platform as a service (PaaS), software as
a service (SaaS) and identity access management as a service (IDaaS). Access to privileged accounts also includes third parties such as contractors, vendors and service provider technicians. In addition, services or application user accounts with elevated privileges utilized by nonhuman users are included in this category. PAM is sometimes used to manage shared access to non-administrative shared accounts, for example an enterprise’s social media platforms.
Many security professionals associated with the identity access management space would observe that privileged access is a category of accounts that are issued by IT and which often have a prefix nomenclature associated with it to facilitate effective inventory account management. An example would be an ‘x’ prefix being placed before the organization member’s name (i.e., x_jdoe versus e_jdoe). The ‘x’ would designate this account as an administrative account. This convention of prefix nomenclature would provide an easy way for IT to identify these known privileged accounts and facilitate access management.
The critical point to observe from the example above is ‘known privileged account.’ The unknown privileged accounts and entitlements represent a growing and concerning magnitude. From a realistic and comprehensive security perspective, however, the scope of definition for privileged access must be broadened significantly. Here’s one example. A user with privileged access (along with the ‘x’ prefix designation) grants elevated access entitlements to another user with a regular (non-‘x’ prefix) user account. No one would know that because the user’s account moniker remains unchanged. This popular IT naming nomenclature in effect means nothing from a security perspective.
Privileged access can and does grow unchecked and undocumented at an alarming pace. Case in point, the use of identity analytics for a Gurucul customer uncovered over 70% of unknown privileged access. This is imperative if organizations want to address privilege access abuse with UEBA machine learning as a top use case. UEBA without identity analytics cannot address the privileged access use case holistically.
“UEBA is one of the most powerful new security controls to emerge in recent memory. I believe that most – if not all – our technical security controls will have some element of UEBA associated with it. I view this as a very strategic shift for Aetna security, and I think that the rest of the industry will be following as well..”
– Kurt Lieber, CISO, Aetna
Only access entitlements determine whether a user account is privileged or not. The observation here is that it is a mistake to view this issue from the traditional perspective of user privileged accounts. Instead it should be seen as privileged access and the way a user obtains this access is by being granted privileged access entitlements. That’s how any user account becomes a privileged access account. Challenges occur with the proliferation of entitlement access outside the known inventory of designated privileged access accounts.
Acknowledging that privileged access comes from entitlements for users outside an established privileged access group – a majority of which reside outside traditional access inventory and management systems and which follows no conventional nomenclature – the issue of effective management and security assurance quickly becomes a measurable concern.
Understanding the fundamental realities of privileged access is essential to successful security assurance. Managing privileged access effectively entails successful implementation of the following solution phases:
Unfortunately, currently available IAM/PAM/PIM solutions don’t cover all of these phases.
Two points of view persist on the question of who has privileged access. One is the traditional perspective that defines privileged access as those users who are listed in an organization’s database in privileged user access account inventory. These accounts define a user’s privileges and roles, and would represent the population of which users have been granted traditional privileged access. These users can be further divided into two general categories:
Administrator accounts at the system level have elevated privileges. This category would include the main systems administrator, root account administrator, as well as local and other system administrators. A number of these accounts may be associated default system shared privileged accounts which will be used by different users. These administrator accounts are traditionally managed by PAM/PIM solutions that control these accounts and where the vaulting of the associated credentials is conducted.
This category includes regular user accounts that have been granted additional privilege entitlements or that could be added as a member of the domain administrator group. In this case, these regular user accounts would inherit the relevant elevated privileges of the domain administrator group. This is an example of a normal user account with privileged access entitlements. This category is sometimes under the purview of PAM/ PIM access management.
Additional categories, however, do not fall into the traditional classification models above. Exceptions to the traditional perspective of privileged access represent an additional access threat plane and a serious access risk to any enterprise. One such category is:
An example within this broad category is that a user can have access within a sensitive business application: a department director who has the authority to approve purchases or money transfers of up to $5,000. Anyone with an approval button of this nature has privileged access, yet malicious activity on this account might remain off the radar because of the low approval level which can be abused with repetition. Members of the IT team, however, might very likely remain unaware of this instance of privileged access simply because it is not classified in a way that conforms with the existing inventory schema in the database. Other examples might include the short list of staff members who can submit payroll, or brokers in brokerage firms who can move hundreds of millions of dollars in a day.
While all these examples may not be within active directory or an administrative group, these capabilities represent privileged functions. These should be considered only a few examples of this concept in a broad range of entitlements that represent privileged access and which is fundamentally unaccounted for in traditional PAM/PIM solution. However, a host of hackers are decisively aware of them as prospects for lucrative targets of opportunity. These use cases are not currently accounted for by either PAM or PIM.
Many more instances of privileged access exist, such as account type, shared team accounts, the access channel, and how people use these accounts.
These include:
Additional considerations include the type of access users have, who owns these accounts, as well as application-to-application service accounts that are used to pull information from other systems.
Organizations continue to provide access which is designated privileged, as well as non-privileged while the challenge of assuring security for these accounts multiplies and proliferates with accelerating concern. The pressing question remains: how do organizations discover and manage all instances of privileged access? Because the concern from a SOC perspective is the true nature of the access – not a constrained labeling inventory convention – which determines real privileged access.
Consider as well, quarterly access reviews of forty to fifty thousand employees in an enterprise, each with over a hundred entitlements. Too many organizations simply rubber stamp the certifications because individual assessment of the accounts simply does not scale for most organizations. That’s the challenge and the review process can’t be achieved with naming conventions and tracking inventory. That approach is incomplete and unreliable. This second realm of nontraditional privileged access remains hidden, albeit unintentionally. This represents a sprawling world of unknown access risk to organizations.
Additional factors complicating and expanding the privileged access challenge include:
The access threat plane of unknown privileged access risks expands with each of these scenarios. The factors cited above represent a collection of known unknowns. The scope of this white paper is not intended to depict the entirety of this concerning area of access risk, which extends far beyond the examples cited above and represent broad range unknown unknowns.
The following case studies are drawn directly from recent Gurucul field experience, and they provide an insight into real world instances of privileged access abuse, as well as the gravity and consequences of PA being mismanaged:
A domain administrator of a large financial services company took advantage of those rights and gave email administrator access to themselves. The only reason this activity was ultimately discovered was because of a log file review. However, before this occurred, the individual with this access began to explore the CEO’s mailbox without anyone knowing. In the course of this unsanctioned activity, the email administrator access privileges enabled the acquisition of highly confidential information about a pending merger that was about to take place with the company and another enterprise. The domain administrator’s activities were ultimately discovered before any damage to the company occurred, and before anyone else in the company knew. However, due to the sensitivity of the data, had it been released in an untimely manner, and parties benefited from this information in the form of stock market trades or other activities, there would have been SEC violations and other regulatory considerations which could have caused severe consequences for the company.
A contract payroll database system administrator who was updating the company’s database had access to view the salary tables for employees. He used the access to look at pay rates, especially those of the administrator’s friends and teammates. Although the contractor was prohibited from performing this unsanctioned behavior, he did so nonetheless since he knew his activity was unmonitored. This compromise was finally caught as an anomalous run of a select * query. This kind of information if distributed can result in discontent and ill feelings within a company when recipients of the information learn that their salaries might be significantly. lower than colleagues they considered to be their equals and peers. Once it is released, the feelings it generates within a company will take time to resolve. For the company this also makes future salary negotiations problematic. This kind of disruptive privileged access activity is unfortunately a frequent occurrence in organizations today.
An employee at a financial services company was using his privileged access to look at the full credit card view of customer information, along with the credit card stripe data. The SOC team discovered this anomalous behavior through UEBA and confronted the individual and informed them that despite their management position in the company, they had no authority to view this privileged information. Companies in this commercial space base their position in the marketplace on trust and reliable service delivery capabilities. When an unauthorized activity like this occurs, even if it does not result in any theft, it still represents serious potential damage to the company’s reputation to assure their people are trustworthy with this highly sensitive data.
A company’s cloud access administrator had administrative access to Salesforce during his tenure with the company. After he left the company his access to Salesforce.com was not disabled. As a result he used this privileged access to harvest vast amounts of sensitive customer data. He ultimately shared this highly sensitive information with competing interests. This nefarious action inflicted serious financial damage on the company, representing over one million dollars of lost market share.
While delivering a critical and irreplaceable component of access security – and often adopted in compliance with Sarbanes-Oxley data security standards requirements – PAM and PIM customers are looking to strengthen their capabilities to provide the comprehensive privileged access security required in the evolving hybrid networks of today. A number of players in the security industry observe that while PAM and PIM are readily acknowledged for providing essential and critical features such as vaulting and protecting access credentials, they also need supplemental solution support to manage privileged access security properly in today’s networks. They point to the vast collection of privileged access lists in the PAM/PIM database inventories, which are required, but these inventories do not account for the unknown privileged access entitlements. Some experts estimate they exceed 50% of an organization’s total privileged access entitlements. What this means is the solutions lack full visibility into privileged access. This discovery gap of identifying and managing privileged access entitlements is the key issue on PIM/PAM customers’ minds.
First, an estimated 10% of organizations have a PAM-like solution (State of PAM Security, Thycotics, 2016), which means that 90% are operating with manual methods, perhaps using default passwords and may lack approval processes to establish privilege access. Generally PAM solutions provide a vault for credentials and one-time access credential management which is essential and invaluable. However, they currently offer no functionality to discover privilege access, detect access outliers, excess access, shared PA accounts, privilege access abuse or compromised privilege accounts.
While a few PAM vendors provide limited UEBA capabilities to flag anomalies, they are siloed and lack the full context across all of an organization’s environments. That can only be delivered by machine learning analysis and by leveraging big data. While some PAM/PIM vendors have stated their plan to provide this kind of feature modification on their product roadmaps, this represents solution modifications sometime in the future. While technology and hacker innovation never sleeps, the need for solutions to address the PA discovery problem is urgent and very much in the present. Any untested proposed solution on a vendor’s roadmap for the future must ultimately be measured against established best of-breed solutions currently available on the market.
It’s important to observe as well that some PAM solutions with mini-UEBA features are not UEBA driven by advanced machine learning from big data and often lack identity analytics. They are limited to rules, statistics and basic correlations, a process which delivers its own digital exhaust requiring extensive manual analysis, fundamentally replacing one arduous manual process with another. These segmented solutions also currently lack monitoring visibility and concern in the ability for PAM to be able to discover, analyze and correlate privileged identity analytics to deliver reliable risk-based assessments to assign risk scores and provide actionable results for remediation. The discovery gap is a major concern to address privileged access risk and abuse.
PAM solution primary use cases are:
Vaulted credentials and access to those accounts is brokered for human users, services and applications. Password and other forms of credentials for privileged accounts are actively managed (i.e., changed at definable intervals or upon occurrence of specific events).
Specific privileges are granted on the managed system by host-based agents to users logged in with unprivileged accounts. This includes privilege elevation, in the form of allowing particular commands to be run with a higher level of privileges.
PAM key features include:
PAM key features do not include:
A number of industry leaders have observed the concerning number of privileged access instances which reside outside organizations’ access management purview. Gurucul’s Craig Cooper, Chief Operating Officer is one of them: “Most Fortune 500 companies have more privileged access outside the vault than inside.”
The reliable discovery and comprehensive risk-based security monitoring of privileged access accounts and entitlements and their use has been, and will be, a serious and growing challenge for enterprises. Existing PAM customers and those considering PAM adoption should understand there are no guarantees that PAM can provide the discovery results needed to assure adequate privileged access security. And with future-proofing in planning stages with security leaders for tomorrow’s environments, PAM/PIM solutions benefit greatly by adding identity analytics from UEBA machine learning solutions for a risk based approach for privileged access security.
Addressing the discovery gaps in PAM and PIM requires the ability to provide visibility of all privileged entitlements and have full contextual monitoring, analysis, risk scoring and remediation. This full context means having the ability to see the access and activity of all the users and entities with privileged entitlements within the various PAM and PIM vaulted inventories. It would also include the ability to see the access and activities of those outside the vault and what PAM and PIM solutions don’t yet account for. These capabilities come from the fusing of IdA within UEBA solutions to form a new class of data science security technology: privileged access analytics (PAA).
PAA identifies the complete list of privileged accounts and entitlements, such as when local administrator rights are provided without accountability. This translates into finding normal accounts that have privileged access entitlements. The tagging of accounts as privileged or supervisor is not enough; organizations need machine learning models to find privileged entitlements that are not known and to provide a risk-based approach for managing privileged access. This represents a layer of identity analytics to make PAM and PIM solutions more accurate and complete by providing machine learning granularity down to entitlement risk scoring.
With the benefit of machine learning from big data, PAA is able to dynamically self-learn and self-train as it evolves, digesting existing PAM and PIM data, and analyzing any new instance of non-traditional privileged access entitlement. The visibility and monitoring capability observes user access and activity expanding exponentially as a risk-based approach maintains accurate reliability. These capabilities are empowered by a minimum of 180 predictive behavioral machine learning models with over 250 attributes that are both customizable and can be extended for special use cases to bring added benefits and capabilities.
PAA is compatible with PAM and PIM solutions, with the ability to ingest and analyze data from their various siloed vaults and then also discover and analyze all instances of unknown privileged access entitlements. As an early phase of solution adoption, identity analytics would identify and retire all orphaned, dormant and unused accounts with potential privileged access entitlements. This action immediately reduces an organization’s access threat plane by as much as 89%, based on previous solution adoptions in this category. PAA also helps clean up and maintain privileged access accounts and entitlements before or after integration with a PAM solution.
The solution then continues auto-discovery of new instances of what were previously unknown privileged access entitlements.
Once integrated with a PAM/PIM solution, PAA offers all-inclusive visibility across all environments, in both on-premises and cloud, including those systems originally unaccounted for by PAM/PIM solutions. With this full contextual visibility, PAA then provides robust user access and activity behavioral analysis, risk scoring and remediation capabilities including closed-loop responses via API integration. PAA provides intelligence to discover privileged access, detect access outliers, excess access, shared privileged accounts, access abuse, compromised accounts, and more. This is only possible through advanced machine learning and drawing from big data to assure the broadest data sets possible for analysis. Machine learning eliminates the arduous manual requirement of security team analysts individually investigating separate instances of inquiry, and frees them up to perform more intelligent work organizations need them to perform.
PAA and PAM/PIM solutions work side by side, or PAA performs by itself to reduce privileged access risk and detect anomalous behavior for privileged access abuse. The data science of machine learning for PAA that is derived from UEBA and IdA models is a specialty skill along with big data architecture and data ingestion for the context, even more so for hybrid environments of on-premises and cloud. The value PAA provides for PIM and PAM is a subset of providing identity analytics to IAM solutions for a risk-based approach after years of check box compliance rubber-stamping. Gurucul customers have deployed UEBA and IdA machine learning models for various use cases supporting access management, as noted earlier.
PAA delivers advantages independently to organizations as a standalone solution, as well as delivering the ability to optimize PAM/PIM solutions. Additional benefits of privileged access analytics include:
With the mature capability of PAM/PIM vaulting for access credentials combined with the robust analytics of IdA and UEBA, PAA leverages the strengths of both classes of solution to create a new paradigm in next generation risk-based privileged access security. Eradicating siloed visibility and providing discovery, PAA delivers more comprehensive visibility and risk-based analytics to manage privileged access comprehensively, while monitoring the access and activity of all privileged users and entities across hybrid environments of on-premises and in the cloud.
This not only includes the ability to see the full context of a privileged user’s access risks and anomalous activities, but also to see the extended context of user’s privileged access and activity before and after any incident in question.
By eliminating siloed inventory and leveraging machine learning from big data, PAA provides automated discovery of privileged access, risk-based certifications, detection of excess access and access outliers, clean-up of privileged access for orphan and dormant accounts, intelligent roles to replace legacy roles, plus dynamic access provisioning to reduce workload. Analyzing privileged access down to the entitlement level is perfect for machine learning and futile for humans, providing a savings in time and expense.
Leveraging all of the solutions’ strength for which PAM and PIM were originally designed, PAA provides identity analytics and expands the solution capabilities enabling it to provide a holistic and 360-degree monitoring and visibility down to privileged access entitlements, plus eradicating the constrained limitations of siloed PA inventory.
As customers grow increasing concerned about privileged access abuse and the gap of discovery for unknown privileged access entitlements, they look to leverage their PAM and PIM investments as quickly as possible to protect against the growing access threat plane and access outlier risks. To address this challenge, a robust and flexible solution is required: privileged access analytics. With the capability of partnering with PAM/PIM solutions, PAA is empowered by true machine learning, drawing from big data and leveraging a fusion of both identity analytics and user and entity behavior analytics. With monitoring visibility of 360-degrees for identity, accounts, access and activity, PAA expands to analyze enterprise on-premises and cloud environments, providing accurate risk scores and actionable intelligence, to assure timely access risk reduction and access abuse remediation. PAA represents a new standard for the next generation in comprehensive security assurance of privileged access accounts and entitlements.
Gurucul offers the industry’s widest UEBA use case coverage with an install base in many industry verticals including banking and finance, insurance, healthcare, high tech and more. This gives enterprises the coverage they need today along with ability to tackle their growing needs in User and Entity Behavior Analytics (UEBA), Identity Analytics (IdA) and Cloud Security Analytics (CSA). To learn more about what SC Magazine calls “the most sophisticated example of behavioral analytics we have seen to date” visit the Gurucul website. If you’re ready to move ahead with a proof of concept, contact us at info@gurucul.com.
