When we think of insider threats, the image that comes to mind is often that of a disgruntled employees looking to cause damage to an organisation.
However, these threats are caused by honest mistakes more often than not, says Byron Davel, Product Manager at Credence Security.
“This is why Privileged Access Management (PAM) is becoming a key part of every organisation’s security strategy. Privileged credentials hold the keys to the kingdom as they are primary targets for attackers. The 2018 Verizon Data Breach Investigations Report found that stolen credentials was the most prevalent method of attack across all successful breaches. A Forrester survey of network security decision-makers whose firms have had a security breach in the last 12 months found that the resulting top two changes in those organisations were to increase spending on prevention and network detection technologies,” he says.
Controlled use of administrative privileges as a single control is one of the basic critical security controls. Along with patching and application whitelisting, restricting administrative privileges can mitigate most intrusions, research has found.
“Adding security controls will always help raise security posture. Even organisations that have already implemented an identity and access management (IAM) solution need to control privileged access. However, many companies aren’t sure where to begin – where to focus resources, how much funding to allocate, etc. As with any security project, managing and protecting privileged account access requires a continuous approach that employs an ongoing programme,” Davel says.
“The first step is to define and classify privileged accounts. Once the organisation has established this, it needs to develop security policies that explicitly cover them. Second, companies must discover their privileged accounts. Automated PAM software makes it easy to identify privileged accounts and implement continuous discovery. This will help prevent privileged account sprawl, identify potential insider abuse, and reveal outside threats.”
Next, he says, is the management and protection of privileged account passwords. “A PAM solution should automatically discover and store privileged accounts, scan individual privileged session activity, schedule password rotation, and examine password accounts in order to quickly detect and respond to malicious activity.”
A least-privilege strategy should be at the heart of a PAM strategy so that privileges are only granted when required and approved, Davel adds. “High-end PAM solutions offer least-privilege and application control. They also allow for the monitoring and recording of sessions for privileged account activity. This enforces proper behaviour and helps avoid end-user errors because all activities are being supervised. If a breach does occur, monitored privileged account use also provides information to forensics teams to assist in identifying the cause of the breach causes as well as insights into how to reduce risk exposure in the future.”
Good PAM solutions should also detect usage and analyse behaviour to look for abnormalities, he says. “Real-time visibility into the access and activity of users will allow you to detect potential insider threats. It will also help a company respond to incidents effectively.”
The final step in implementing PAM in an organisation is reviewing and auditing privileged account activity. “Repeatedly analyse privileged account use through audits and reports to identify unusual behaviour that may indicate a breach or misuse. A proper solution’s automated reporting will help track the cause of any security incidents and comply with industry and government regulations,” Davel concludes.