Privileged access can pose big risks to company security

Behavior biometrics provides window to user patterns, can point to malicious intent

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It was some four years ago that Edward Snow­den shook up the glob­al cyber­se­cu­ri­ty and pri­va­cy advo­ca­cy com­mu­ni­ties by leak­ing sen­si­tive gov­ern­ment doc­u­ments to the press. Snow­den put con­cerns about iden­ti­ty access man­age­ment and the need to close­ly mon­i­tor priv­i­leged access to sen­si­tive sys­tems front and center.

Then ear­li­er this sum­mer a NSA con­trac­tor named Real­i­ty Leigh Win­ner alleged­ly print­ed secret doc­u­ments and turned them over to the press. Winner’s dis­clo­sures remind­ed the cyber­se­cu­ri­ty com­mu­ni­ty why priv­i­leged access is an area of net­work secu­ri­ty that requires con­stant vigilance.

Prob­lems from within

Clear­ly America’s top intel­li­gence agency con­tin­ues to have a seri­ous insid­er threat prob­lem, even in the post-Snow­den era. Uncle Sam isn’t alone. Insid­er threats from employ­ees and con­trac­tors with legit­i­mate access priv­i­leges con­tin­ue to be one of the most dif­fi­cult secu­ri­ty prob­lems to address across all industries.

Relat­ed arti­cle: How iden­ti­ty access man­age­ment (IAM) tools can mit­i­gate insid­er threats

Trip­wire iden­ti­fied insid­er threat as a pri­ma­ry secu­ri­ty con­cern for 2017, not­ing that priv­i­leged access, how­ev­er it is obtained, makes it much eas­i­er for a mali­cious actor to cov­er his or her tracks.

And the 2017 Ver­i­zon Data Breach Inves­ti­ga­tions Report added that priv­i­leged use is the third most com­mon form of data breach­es, with 81 per­cent of hack­ing-relat­ed breach­es using a lever­aged password.

Yet, said Joseph Car­son, chief secu­ri­ty sci­en­tist at Thy­cotic, tra­di­tion­al meth­ods of iden­ti­fy­ing and man­ag­ing priv­i­leged accounts still rely on man­u­al, time-con­sum­ing tasks per­formed on an infre­quent or ad-hoc basis. “Even in the most sophis­ti­cat­ed IT envi­ron­ments, priv­i­leged accounts are all too often man­aged by using com­mon pass­words across mul­ti­ple sys­tems, unau­tho­rized shar­ing of cre­den­tials, and default pass­words that are nev­er changed — mak­ing them prime tar­gets for attack,” he added.

Pass­word man­age­ment falls short

Many orga­ni­za­tions have turned to iden­ti­ty access man­age­ment (IAM) sys­tems, also referred to as priv­i­leged access man­age­ment (PAM) sys­tems, as a way to pre­vent data breach­es through a priv­i­leged account. But is it time to improve on that approach?

Már­ton Illés, Bal­abit direc­tor of products

Yes, accord­ing to Már­ton Illés, direc­tor of prod­ucts at Bal­abit. He argues that there often is too much empha­sis on pass­word man­age­ment, and we must remem­ber that is only the first line of defense. “Pass­word man­age­ment doesn’t defend against attack­ers with valid cre­den­tials,” he said. “It also doesn’t cov­er what the users are doing after they login.”

New ways to fight back

The best secu­ri­ty is about lay­ers, and in PAM, that will include adding steps like mul­ti-authen­ti­ca­tion and iden­ti­ty man­age­ment. Bal­abit is adding anoth­er lay­er, which it refers to as “behav­ioral biometrics.”

IT secu­ri­ty has been about catch­ing the known enti­ty, but priv­i­leged users add a twist. They are known users, but con­duct­ing unknown activ­i­ties. With behav­ioral bio­met­rics as a form of authen­ti­ca­tion, accord­ing to Peter Gyöngyösi, prod­uct own­er of priv­i­leged account ana­lyt­ics at Bal­abit, orga­ni­za­tions can detect who the user is and what he is doing—and whether that match­es nor­mal pat­terns. “If you want to fig­ure out when some­thing is wrong, you have to under­stand the orga­ni­za­tion and its base­line activity.”

Detect­ing action out of the norm

Gyöngyösi said this idea of behav­ior as authen­ti­ca­tion works on three prin­ci­ples: habits, pos­ses­sion and inher­ence. When behav­ior algo­rithms are includ­ed in PAM tools, orga­ni­za­tions have a pat­tern of the user’s reg­u­lar login habits that include work hours, files accessed, and typ­i­cal activ­i­ties performed.

It knows the devices com­mon­ly used dur­ing the nor­mal work/access hours and how those devices are oper­at­ed (for instance, a key­board and mouse or a touch pad). Final­ly, the behav­ior tools run an analy­sis of mouse move­ment and key­stroke dynam­ics. “It can tell if you are righthand­ed or left­hand­ed by the way you move your mouse,” Gyöngyösi said.

It’s not a per­fect system—there will still be some false pos­i­tives, such as an employ­ee who decides to work at odd hours throw­ing off the algo­rithm, for example—but in gen­er­al, behav­ioral bio­met­rics will pro­vide a fair­ly accu­rate assess­ment of not only who is on your net­work but also what they are doing. It opens a win­dow for orga­ni­za­tions to tell if an out­sider has com­pro­mised an employee’s priv­i­leged account or if an insid­er is act­ing with mali­cious intent.

You have to trust priv­i­leged users,” Gyöngyösi said, “but you also have to rec­og­nize they can be a huge risk. Tra­di­tion­al solu­tions aren’t going to pro­vide much pro­tec­tion against priv­i­leged users.”

More sto­ries relat­ed to pro­tect­ing net­work access:
Sophis­ti­cat­ed email mon­i­tor­ing can help com­pa­nies detect insid­er threats
Go past the perime­ter, inside the net­work to find where cyber trou­ble lurks

Neu­tral­iz­ing insid­er threats is vital to good data security


Posted in Featured Story