In our previous post, we highlighted part of a conversation on privileged account security with IDC analysts Charles Kolodgy and Sally Hudson. Here is part two of that conversation.
CyberArk: What is privileged account security and why is it important?
IDC: Privileged account security solutions proactively secure and manage privileged credentials, monitor privileged account activity, and detect malicious privileged user behavior. These solutions provide the granularity needed to name the individual user, thus taking away the anonymity of shared accounts and providing individual accountability. Password or credential vaults, credential management and access approval workflows, session monitoring and recording, and behavioral analytics are all components of these types of solutions. Privileged account security is a critical component of a layered defense strategy because privileged accounts provide such broad access to critical data, servers, and virtually every component of IT infrastructure.
What technologies are available to help companies identify and stop attacks targeted at privileged credentials after they have breached the perimeter?
Existing enterprise security solutions such as network security tools, antivirus, and vulnerability assessments provide layers of defense. However, these tools have proven to be ineffective against determined external attackers and threats from users already inside the perimeter. To ensure that attackers are unable to exploit privileged accounts, take control of critical IT resources, and steal confidential information, these accounts must have proactive protection and be monitored on a continuous basis.
New tools focused on analyzing privileged account behavior in real-time are becoming available, allowing the organization to identify abnormal use of privileged accounts. The goal is to provide alerts on deviations from expected user behaviors that may indicate malicious activity. For example, if administrator “X” always works between the hours of 8:30 and 5:30, a flurry of activity using his or her privileged credential at 1:00AM may be a strong attack indicator. Privileged account security solutions isolate individual user logon activity. Advanced analytics can identify unusual activity by a single user, rather than the entire shared account thereby detecting a threat in progress. In addition to segmenting individual users, the solution should correlate data across all users and systems that provide additional immediate and actionable insight for identifying an in-progress attack. This ability to alert on unusual privileged account user behavior can substantially increase overall IT security within an organization, while simplifying a critical component of security monitoring and remediation.
How is threat analysis centered on privileged account data differentiated from other threat analysis and what are some of the advantages?
Security monitoring solutions generate a great deal of data that can be normalized and processed to get an understanding of what is going on within the enterprise. Much of that information can be used to find indications of a breach. For this reason, organizations use log management and SIEM to comb through data for attack indicators. SIEM systems have their value but can be overwhelmed by the sheer amount of data that needs to be processed and the number of alerts that operators must triage and respond to. By concentrating analytics directly at anomalous events related to privileged user behavior or correlating privileged-based alerts with other indicators, it is possible to quickly determine which alerts indicate a true threat as opposed to false positives.
As part of the privileged account security system, an analytics engine provides a targeted view on individual user or application behavior in context within the environment. The data is analyzed at the user-level, not the shared account level. This provides the granularity required to detect anomalies. Adding to the effectiveness of analytics, the solution analyzes data in real-time, empowering incident response teams to act quickly to disrupt in-progress attacks. These solutions can be integrated into an organization’s existing SIEM system to improve the SIEM’s overall effectiveness.