Many organizations have embarked upon a cyber security “sprint” in order to significantly reduce their privileged account attack surface. The sprint—designed to yield initial results in just 30 days—focuses on prioritizing the implementation of core controls to protect an organization’s most powerful and vulnerable accounts.
Bolstered by sprint-driven successes and momentum, it’s time for organizations to gear up for the next leg of their security program. They need to turn their “sprint” into a longer-term, sustainable cyber security program. As part of the journey, security teams often have questions about the best path forward. For example, they ask:
- “How do we choose different workflows and controls to implement?”
- “How do we risk rank them?”
- “What does an ideal state of security look like?”
- “How do we track and measure success or even support the program from a people perspective?”
Let’s focus on two fundamental elements for a successful, long-term program. The goal is to significantly reduce the risk of privileged credential theft. Keeping the attack pathway in mind, you want to shut down access to credentials and minimize what attackers can do with any credentials that are exposed. Ideally, also limiting how far attackers or malicious insiders can move within the organization using a specific set of credentials.
One: Increase the Coverage of Privileged Account Security Controls across the Organization
During the “sprint,” organizations focus on protecting their most powerful accounts first. This typically includes steps such as isolating and monitoring access to domain controllers and member computers, implementing multi-factor authentication to protect high-risk privileged credentials, eliminating unnecessary accounts and privileges, and establishing credential boundaries.
During the next leg of the journey, the focus shifts to scale—or the implementation of basic credential management & session isolation for human user accounts across as many technologies as possible—while minimally impacting end user experience and productivity. These include accounts linked to Unix devices, databases, network devices and built-in back door IDs. These are very powerful accounts. They exist in every system, yet they’re not typically used on a day-to-day basis by end users. Organizations can move quickly to implement change and showcase demonstrable wins while causing the least disruption possible.
Two: Create an In-Depth Layer of Controls within the Riskiest Assets in the Environment
When it comes to analyzing the risk of a particular work stream (defined as the combination of a particular platform and an account type), it’s important to take three key things into consideration. We sometimes refer to this as a “privilege triad”:
- The scope of influence: How many different assets can I affect with a single privileged account? What can this access? Does it cross different network boundaries? Does it cross different risk tiers? Who currently has access to these IDs?
- Level of privilege: How much can I do with a given privileged account once I hit a system? How are we granting privilege in the first place, and can we granularly control it?
- Ease of compromise: What controls do I have, or lack, today within my environment for this particular work stream? Do people actually know about these credentials directly? Are they using them from their workstations? Are we rotating them? What sort of underlying vulnerabilities might exist within this particular technology to begin with?
This “privilege triad” can be used to evaluate any environment or work stream within an organization. Art Chaisiriwatanasai of KPMG shared a great example of how his company uses similar classification and risk-rating mechanisms to pinpoint high-risk assets in his CyberArk guest blog, Privileged Access Management: A Matrix Approach for Account Ranking and Prioritization.
To explore these control sets further, check out this short video that outlines three primary phases our solutions engineering team often recommends for improving privileged account security.
