By Chris Stoneff, vice president of security solutions, Bomgar
In today’s world cyberattacks have become ubiquitous. Consider the famous words of former Cisco CEO John Chambers, “there are two types of companies: those that have been hacked, and those who don't know they have been hacked.”
So, if it’s inevitable that intruders will get in, the question you should ask is: how will I protect my organization after hackers breach our network perimeter?
The Privileged Account Attack Vector
First, consider what usually happens during a cyberattack. Obviously, hackers get inside your network. And they do it with social engineering, phishing emails, malicious insiders, zero-days, or a host of other tactics. Most of these attacks can quite easily defeat traditional perimeter security tools like antivirus or firewalls that are defending against yesterday’s threats. Once they’re inside, the intruders look for ways to expand their access. To do that, they install remote access kits, routers and keyloggers.
During this phase of an attack, hackers seek SSH keys, passwords, certificates, Kerberos tickets, and hashes of domain administrators. Their goal is to extract the credentials that will let them escalate their access, gain lateral movement throughout the network, and anonymously steal data at will. In our automated world, this entire “land and expand” process can be conducted surprisingly quickly.
But usually, the attackers will take their time. They’ll quietly monitor and record activity on your systems and then use the information they gather to expand their control of your environment. According to research from Ponemon, hackers lurk on the network for an average of 206 days before being discovered. That’s a lot of time for a malicious entity to anonymously prowl your network.
The key factor in this process is privileged access. With access to an unsecured privileged account, an attacker can view and extract sensitive data, change system configuration settings, and run programs on almost any IT asset in an organization – on premises or in the cloud.
In large enterprises there are so many privileged accounts, that organizations often can’t keep track of where all their privileged accounts reside or who has access. Unfortunately, though, almost every one of these powerful privileged accounts represents an attack vector that can be exploited by an insider threat or an external hacker. And it only takes one breached privileged account to snowball into a disaster.
Privileged Identities Are Often Overlooked
When I describe this situation to people, it’s usually at this point where they tell me they have an Identity and Access Management (IAM) tool to handle the problem. "No, actually you don’t," I respond.
Here’s why: IAM products deal primarily with user accounts associated with personal logins. Organizations use IAM solutions to provision and de-provision users.
However, privileged identities aren’t managed by standard IAM systems. Unlike user identities, privileged identities aren’t typically provisioned. Instead, they appear on the network whenever physical and virtual IT assets get deployed or changed. As a result, it’s necessary to discover and track privileged identities with software that’s separate from conventional IAM. That’s where Privileged Access Management (PAM) comes in.
Privileged identities are separate from user identities. They’re different technologies. Industry analysts write about them in separate reports. Software vendors usually specialize in one or the other. At a fundamental level, the idea of a regular user and a privileged user are different.
If user identities are the keys that employees carry to open the front door of the office, privileged identities are the keys used by the security guards to get into every door in the office building.
User identities are tied to a particular person. All the things in the IT infrastructure connected to that particular person are traced to his or her digital identity.
Privileged identities, on the other hand, are not mapped to a single person. They’re used by many people and sometimes these are not even used by people, like the privileged identities created to run service accounts. So, PAM must account for the fact that the people using a privileged identity may be different at any given time. Therefore, it’s essential to have a way to track who has privileged access, and control what they are doing with that access.
Automating Cybersecurity with Privileged Access Management
Now, let’s bring this back to the question posed at the start. If it’s inevitable that intruders will get in, how will I protect my organization after hackers breach our network perimeter?
Traditional perimeter security tools can’t cope with advanced cyberattacks or carefully crafted social engineering exploits. Once the intruders penetrate the perimeter, conventional IAM solutions don’t defend the powerful privileged identities that attackers need to accomplish their nefarious plans.
But PAM technology does. With a PAM solution you can automatically discover all the privileged accounts throughout your cross-platform network. Just one vulnerable account can open up your entire network to compromise. Manually finding and tracking all the privileged accounts in large enterprise environments is virtually impossible. And if you can’t find your privileged accounts, you can’t secure them. But just because you may not know where all your privileged accounts reside, doesn’t mean the bad guys can’t locate them – and exploit them. So, finding your privileged accounts is step one.
Securing them is step two. That involves generating unique and cryptographically complex credentials for each account – and continuously updating them. Manual password change processes can’t keep up with the scale required in large organizations. But with automated PAM technology you can change these credentials as frequently as your policies require – even every couple of hours. That effectively negates advanced cyberattacks like zero days and keeps intruders from nesting in your environment. The reason being, even when an intruder steals one of your credentials, that stolen credential is time-limited and unique. So, it can’t be leveraged to leapfrog between systems and anonymously extract data.
Once an automated PAM solution finds your privileged accounts and then secures them, the next step is controlling access. Modern PAM technology can ensure that only authorized individuals have access to your powerful privileged accounts and only in a fully audited manner. There’s no more mystery around who had access to what and when.