User Behavior Monitoring – Focus on Privileged Users

ESG’s Jon Oltsik has a great post on Network World this week about enterprise security monitoring.  Large enterprises, he points out, need help in monitoring user behavior as well as endpoints, and sensitive data.

Well put, however, I would take this a few steps further.

First, not all users are equal.  Users with privileged access can do a lot more damage than average users.  Given the power of administrative credentials like “root” access, these users can look at, touch and manipulate any data, anywhere it might rest. With these incredibly powerful credentials, a user can actually bypass security controls and turn off audit and monitoring systems – effectively breaching defenses without anyone ever knowing it. Need examples? There’s Navy systems administrator Nicholas Knight, for one, not to mention Edward Snowden.

Second, it’s not just malicious insiders companies need to worry about.  External attackers have grasped the power of privileged user credentials for many years, and in every significant attack over the past few years, privileged account compromise played a critical role in the attack.  The eBay breach is a classic example. The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning.  Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach. You can read more about this in a CyberSheath white paper here.

After the initial network breach, attackers go about the process of escalating their privileges so they can move laterally throughout the network.

User monitoring? Absolutely!  And start with your privileged users.