Privileged accounts represent one of the largest vulnerabilities an organization faces today in network security. It doesn’t matter if the accounts are compromised by an external attacker or a malicious insider. If privileged accounts are in the hands of an adversary it is a very real and scary threat. These accounts have the ability to take full control of an organization’s IT infrastructure and systems need to be in place to detect and respond to any misuse or compromise of these accounts.
A privileged user account is typically granted to an employee with authority to access more information than what a typical user account would provide. These special user accounts are created out of necessity for people to have access rights to particular systems or devices to perform upgrades and other technical configurations. Another type of user account which is overlooked in most organizations is a service account. Service accounts are accounts that are not utilized by a particular employee but by a specific service or program within an environment. Service accounts need elevated permissions for some programs to run and are therefore considered to be privileged users.
Privileged Accounts for Network Security
Privileged accounts are limited by fewer controls. Users with privileged accounts have access to more of their companies’ intellectual property, such as: corporate data, confidential operating procedures, and employee information. Privileged users also have the ability to circumvent controls that would normally restrict non-privileged users. With this in mind, the IT security professional has no choice but to take the monitoring and control of these accounts seriously to protect their network security.
Ask yourself the following question; if a privileged account was compromised in your environment today, how long would it take for your security team to detect and mitigate the situation? For many IT professionals, that’s not an easy question to answer. That is precisely why Infogressive utilizes privileged user monitoring (PUM) through Infogressive’s managed SIEM solution. This module allows us to bring real value to our customers and is enabled day one, for all managed clients. Benefits include:
- Data is sent encrypted in real time to a log manager that resides in our data center, preventing any manipulation or deletion of log data.
If there is a security incident, one of the first things that a system administrator will do is reference the log data. Every operation that is performed on a system is recorded to log files. An attacker that has taken control of a privileged account will access the log files and remove traces of an intrusion. By sending logs to a remote location in real-time an attacker can remove logs and attempt to cover their tracks all they want; it won’t do any good because a copy of the logs has already been offloaded.
- Event notifications are sent anytime a privileged user account is added, modified or disabled anywhere in the environment.
It’s a fact that breaches occur and organizations are not aware of the intrusion for days, weeks, or even years. That gap has to be narrowed and automation is the key; alarm rules send notifications out anytime an account is added to a privileged group, an administrator’s password is changed, etc. Complex correlation rules can pair a malware payload drop followed by the creation of a privileged account. Smart responses can automate reactions to alerts. Tools in place that monitor such activity round the clock will greatly increase an organization’s ability to detect and respond to threats.
- All log data is archived and stored for a specified amount of time; it is searchable for forensic purposes.
Log data is usually only kept for a specific amount of time within an environment and the data is distributed across many different machines. Use of a SIEM (Security Information and Event Management) changes that by creating a central repository for all log sources throughout an environment. If you detect a breach and need to track a particular privileged account you can easily search through the archived data for log analysis.
There are many products out there and everyone thinks they have the answer. Take a close look at SIEM technology and enable modules such as privileged user monitoring as Infogressive does. You greatly improve the ability to quickly detect and respond to threats to your organization. Through our service we have the ability to detect, respond, and perform forensic investigations keeping privileged accounts and network security monitored.
Written By: Rob Frickel, VP of Engineering