Privileged access can pose big risks to company security
Behavior biometrics provides window to user patterns, can point to malicious intent
By Sue Poremba, ThirdCertainty
It was some four years ago that Edward Snowden shook up the global cybersecurity and privacy advocacy communities by leaking sensitive government documents to the press. Snowden put concerns about identity access management and the need to closely monitor privileged access to sensitive systems front and center.
Then earlier this summer a NSA contractor named Reality Leigh Winner allegedly printed secret documents and turned them over to the press. Winner’s disclosures reminded the cybersecurity community why privileged access is an area of network security that requires constant vigilance.
Problems from within
Clearly America’s top intelligence agency continues to have a serious insider threat problem, even in the post-Snowden era. Uncle Sam isn’t alone. Insider threats from employees and contractors with legitimate access privileges continue to be one of the most difficult security problems to address across all industries.
Tripwire identified insider threat as a primary security concern for 2017, noting that privileged access, however it is obtained, makes it much easier for a malicious actor to cover his or her tracks.
And the 2017 Verizon Data Breach Investigations Report added that privileged use is the third most common form of data breaches, with 81 percent of hacking-related breaches using a leveraged password.
Yet, said Joseph Carson, chief security scientist at Thycotic, traditional methods of identifying and managing privileged accounts still rely on manual, time-consuming tasks performed on an infrequent or ad-hoc basis. “Even in the most sophisticated IT environments, privileged accounts are all too often managed by using common passwords across multiple systems, unauthorized sharing of credentials, and default passwords that are never changed — making them prime targets for attack,” he added.
Password management falls short
Many organizations have turned to identity access management (IAM) systems, also referred to as privileged access management (PAM) systems, as a way to prevent data breaches through a privileged account. But is it time to improve on that approach?
Yes, according to Márton Illés, director of products at Balabit. He argues that there often is too much emphasis on password management, and we must remember that is only the first line of defense. “Password management doesn’t defend against attackers with valid credentials,” he said. “It also doesn’t cover what the users are doing after they login.”
New ways to fight back
The best security is about layers, and in PAM, that will include adding steps like multi-authentication and identity management. Balabit is adding another layer, which it refers to as “behavioral biometrics.”
IT security has been about catching the known entity, but privileged users add a twist. They are known users, but conducting unknown activities. With behavioral biometrics as a form of authentication, according to Peter Gyöngyösi, product owner of privileged account analytics at Balabit, organizations can detect who the user is and what he is doing—and whether that matches normal patterns. “If you want to figure out when something is wrong, you have to understand the organization and its baseline activity.”
Detecting action out of the norm
Gyöngyösi said this idea of behavior as authentication works on three principles: habits, possession and inherence. When behavior algorithms are included in PAM tools, organizations have a pattern of the user’s regular login habits that include work hours, files accessed, and typical activities performed.
It knows the devices commonly used during the normal work/access hours and how those devices are operated (for instance, a keyboard and mouse or a touch pad). Finally, the behavior tools run an analysis of mouse movement and keystroke dynamics. “It can tell if you are righthanded or lefthanded by the way you move your mouse,” Gyöngyösi said.
It’s not a perfect system—there will still be some false positives, such as an employee who decides to work at odd hours throwing off the algorithm, for example—but in general, behavioral biometrics will provide a fairly accurate assessment of not only who is on your network but also what they are doing. It opens a window for organizations to tell if an outsider has compromised an employee’s privileged account or if an insider is acting with malicious intent.
“You have to trust privileged users,” Gyöngyösi said, “but you also have to recognize they can be a huge risk. Traditional solutions aren’t going to provide much protection against privileged users.”
More stories related to protecting network access:
Sophisticated email monitoring can help companies detect insider threats
Go past the perimeter, inside the network to find where cyber trouble lurks
Neutralizing insider threats is vital to good data security