Three Key Steps for Locking Down Critical Privileged Accounts
October 13, 2017 | Security and Risk | Chris Maroun
Let’s cut to the chase: Most IT professionals understand cyber attacks will happen, and it’s simply a matter of when. Every major breach has a common denominator: compromised privileged accounts. They are an essential element of the attack lifecycle and must be secured.
I recently presented a webcast on three key steps organizations can take to protect their most critical privileged accounts. Here’s an overview of each of these steps:
Take Control: Locking Down Credentials and Endpoints
Locking down credentials and endpoints is a crucial first step in an environment that does not have privileged credential security in place. The hardest part is figuring out where to start. You’ll need to identify and prioritize which accounts present the greatest risk and therefore need to be locked down first.
- Credential The first step is to figure out exactly where your account credentials actually “live” within your environment. Only then can you truly understand which ones need to be locked down immediately and which ones can be de-provisioned. For example, your organization may currently have 150 separate domain admin accounts that can feasibly be trimmed down to one or, at the minimum, just a handful.
- Endpoints. They continue to be attractive entry points for attackers. Identifying users with local administrator rights and removing those rights is a critical first step to securing your organization’s endpoints. From there, you can create policies against those endpoints. For example, you can dictate which applications can run in administrative mode and which ones cannot. Least privilege and application control are best practices to follow and a strong defensive combo.
Often, the discovery process is easier said than done. The average organization has 3X to 4X more privileged accounts than employees. Tools such as CyberArk DNA can help streamline the arduous process of discovering privileged accounts—on-premises or in the cloud, assessing privileged account security risks to help you prioritize actions and identify accounts with local admin rights. Using such a tool, you can also pinpoint embedded and hard-coded credentials stored within applications and uncover which machines are vulnerable to credential theft attacks, such as harvesting, Pass-the-Hash, Overpass-the-Hash and Golden Ticket. Discovery tools are particularly helpful in cloud environments. For example, in AWS or Azure, organizations can quickly find and identify AWSIM rules, users, Access Keys and EC2 Key pairs.
Once you identify where these credentials are, you can take ownership and action by placing them in a secure space or vault.
Isolate and Control Sessions
Once all of these critical accounts are located within a vault, it’s time to turn your attention to usage control. In today’s collaborative environment, many people need access to privileged accounts—from third-party contractors to temporary employees and more. Solutions such as CyberArk Privileged Session Manager can help manage and monitor privileged account sessions without impacting the end-user experience OR disrupting system administrators’ workflow. It allows users to connect to target systems within their environment via an agentless jump server. This isolates the user from the target systems’ passwords (ensuring credentials never reach endpoints) while enabling authorized access so s/he can perform necessary duties. Meanwhile, the secure vault keeps the passwords hidden and protected and rotates them (either each time they are used or on a set scheduled cycle). Monitoring and recording capabilities enable security teams to track user activity, pinpoint suspicious privileged sessions and immediately terminate them, as needed.
A key, added bonus is that organizations can continue to leverage native tools such as Putty, remote desktop connection manager, etc. CyberArk can configure these tools to be able to go through the CyberArk proxy channels to get to those target systems without introducing a lot of latency between the user and the job that they’re there to do.
Keep a Watchful Eye
The last step is keeping a watchful eye and making sure that you understand where anomalies are actually taking place in the day-to-day routine. For example, does John typically work from 8:00 to 5:00, but suddenly starts to check out passwords at 2:00 a.m.? Was that really even John, or was it someone else? Or, what if John normally checks out 10 to 15 passwords per day, then all of a sudden he starts checking significantly more?
But it’s not just user behavioral analytics—it’s also environmental. What happens if we can detect the very first time that someone is able to compromise the system by brute-forcing their way in as an administrator or another admin account? Or creating a backdoor account and then logging into it at strange hours?
CyberArk Privileged Threat Analytics is a security intelligence system that allows organizations to detect, alert and respond to attacks targeting privileged accounts. It is designed to identify an attack in real-time and automatically respond to stop an attacker from moving laterally to advance the attack. Because in order to move laterally, the attacker needs to have the necessary credentials to escalate privileges. CyberArk individualizes every single password, and therefore, stops the lateral movement and shuts down the pathway. With CyberArk, organizations can set baselines and create thresholds for anomalies and get notifications immediately on true security events, which helps to lower the alert volume. Additionally, taking advantage of integrations—or tools that speak fluently with each other—helps to minimize alert fatigue.
For additional details on the attack lifecycle and how privileged accounts come into play, along with common hurdles to establishing the most effective protection, I invite you to view the on-demand presentation.