This is a guest blog written by Tony Howlett, CISO at SecureLink. Tony is a published author and speaker on various security, compliance, and technology topics. He also serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS.
CISOs and their security teams have an impossible task; they must predict the most urgent threats posed to their organizations, then prioritize investments in technology solutions to defend against those threats.
While it’s impossible for any organization to defend against every conceivable type of cyberattack, understanding basic threat vectors and vulnerabilities is critical, and the time to act is before a breach occurs.
When thinking through the basic threat landscape, consider perimeter controls, endpoint protection, and active defenses, like scanning and monitoring. These are required building blocks in your basic security plan.
Most technologies in these categories are focused on defending against threats with obvious malicious intent. Yet, evidence from numerous studies points to criminal hackers using stolen privileged credentials as the most damaging and most costly cybersecurity threat facing organizations today.
Without privileged credentials, the damage that cyber criminals can do is somewhat limited, and the data they can access is less useful and isn’t as sensitive.
But, it’s not just cyber criminals with malicious intent who can cause problems with your privileged accounts. Internal users and third-party vendors can cause just as much damage to your internal infrastructure when given access to an overly broad set of credentials.
Privileged Access Management (PAM), and its cousin, vendor privileged access management (VPAM), can help you deal with this growing risk in a rational manner that will please both boards and C-suites as well as external auditors and regulators.
While there isn’t one silver bullet that will keep your company from suffering a data breach due to privileged credential abuse or misuse, sophisticated and granular audit controls can go a long way towards building a defense-in-depth “castle” around your key systems.
There are several features to look for when evaluating solutions that include privileged access auditing.
When third parties are logging into your network and systems with privileged access, a lot is at stake. These credentials hold the keys to the kingdom and should be treated differently than rank-and-file authentication.
Related Reading:
Limit access for third-party vendors without restricting their ability to get work done.
It’s essential to have a single place to house these logins. This way, credentials are never sent to a vendor so logins and passwords cannot be shared, used to leapfrog, and won’t end up on a sticky note or digital keychain. A privileged access management solution, such as Delinea's Secret Server, provides this centralized and secure repository.
Having a password vault combined with complementary technology and/or process controls, such as multi-factor authentication (MFA), for privileged administrative access is a must. Policies around sharing root or privileged access to systems should also be standard practice.
Context is critical when monitoring privileged access. Before system access is granted, particularly if requested from a third party, you must determine:
This information will give you the details required to know whether a connection is normal or troubling, and help you catch mistakes and malicious activity before it impacts your systems.
This information also allows you to assess the request following an incident as part of your cyber incident response solution. Privileged Access Management and vendor privileged access management solutions can provide additional details, which can be customized to internal help desk systems and other management tools or systems. Compliance data fields can be used as well for special regulatory reporting requirements, such as those required by gaming commissions and new privacy laws.
When you must dig deep, it is useful to have a detailed view. PAM and VPAM solutions offer playback of all activity in graphical environments like Windows, or keystroke records for command line activity. This “security camera” for your network and systems is crucial when trying to figure out what went wrong in the case of an accidental error or for forensic analysis in the case of a breach or other security incident. Of course, monitoring capabilities need to be in place before a potential breach occurs.
Finally, if using a PAM and VPAM solution, there are exponential benefits from integrating the two solutions that create operational efficiencies, in addition to tighter data and infrastructure security, such as audit features. This will ensure you are prepared when auditors come calling or malicious cyber criminals breach your network.
Thinking through threats that exist from inside the security perimeter is an essential part of robust cybersecurity defense. Be proactive with a practical defensive strategy. It will pay a huge dividend, but you must do it now before a breach occurs.