[BreachExchange] Is Privileged Access Management still a pain?

[Destry Winant]

https://www.helpnetsecurity.com/2019/01/08/privileged-access-management/

Every week seems to bring the story of a new customer data breach, but
regardless of the individual details, the majority of incidents have
one trait in common. The chances are high that the breach was made
possible through the compromise of privileged accounts and passwords,
usually acquired through social engineering via phishing emails.

Once credentials have been stolen, unauthorised access can often go
undetected for weeks or even months at a time, enabling the intruder
to undertake a huge level of data exfiltration or lay the foundations
for an even greater attack. One of the most dangerous outcomes is for
the attacker to escalate their activities and gain access to a
privileged account.

What makes a privileged account so important?

Commonly also called superusers, privileged accounts are one of the
fundamental building blocks of the IT environment, used by humans,
applications and services to run tasks requiring elevated permissions.
Accordingly, privileged accounts have many advanced powers and
permissions, including creating and modifying other user accounts,
freely remote access into all machines on the network, and retrieving
sensitive data. They can even make significant changes to the network
infrastructure itself.

Gaining control of a privileged account is a huge coup for a
cybercriminal as these powers can be used to facilitate many different
malicious actions. Armed with superuser credentials, attackers can
bypass normal security controls to access sensitive data and install
malware anywhere on the network with impunity. They can also disguise
their activity by erasing audit trails and destroying evidence,
greatly increasing their potential dwell time and confounding
investigations by the security team.

The ability to protect superuser accounts from being compromised can
make the difference between a minor network intrusion and a breach
that devastates the organisation. However, despite their importance
and the threat they pose in the wrong hands, many IT users are
careless with privileged accounts. Even users who have access to these
accounts as part of their role may not fully appreciate their power
and how dangerous their misuse can be.

Being equipped with a Privileged Access Management (PAM) solution is
one of the best ways to keep privileged accounts under control and
well-protected. These tools make it much easier to govern access to
privileged accounts and can be used to monitor and limit active
sessions to prevent misuse. However, some IT teams have come to fear
PAM tools, considering them expensive, resource heavy, and overly
complicated.

Lingering disrepute

Much of the maligned reputation around PAM stems from experiences with
legacy software. In many cases, previous generations of PAM solutions
were overly complex and difficult to implement. The installation
process could require the use of specialised professionals and could
sometimes take several months or even years to fully complete – or
perhaps remain unfinished indefinitely. The combination of specialists
and lengthy implementation times meant that many IT teams decided the
cost of PAM simply wasn’t worth it.

It should be noted that these experiences often come from a very
different time in cyber security. For many years, the best way to
protect sensitive information and assets was to build a fence around
them. With all data flowing in and out through a single access point,
the traditional perimeter could keep out the majority of threats.
Under this set up, IT teams could more readily assume that their
networks would be protected without the use of PAM.

Today however, the perimeter approach is no longer effective and is
easily circumvented if attackers can gain access to login credentials.
Remote working practices have also greatly increased the surface area
for attack and made it even easier to slip through the perimeter.
Likewise, traditional security tools don’t flag when someone is using
legitimate resources for inappropriate activities, making them
ill-suited for this new model.

Starting a fresh PAM journey

Employing PAM capabilities is essential for an organisation to protect
its privileged accounts from falling into the wrong hands, so any IT
teams still put off by past lessons can now have a positive PAM
experience as it is no longer costly, complex or requires specialised
skills.

PAM is an important priority for all organisations and any previous
challenges can be overcome by beginning with thorough planning and
assessment. The main priority is to identify all accounts with
elevated powers and ensure there are clear policies about proper usage
and responsibilities. The account audit required to get started with
PAM can help demonstrate compliance with the GDPR, PCI, ISO and other
regulations and can also directly help to turn up evidence of unusual
behaviour that indicates a breach or credential misuse.

Establishing a solid foundation will make the process of managing and
securing privileged accounts much more scalable and flexible, helping
organisations avoid the lengthy and expensive implementation processes
of old. The rapidly expanding market now includes many different
options for PAM solutions that can be easily installed out-of-the-box
without the need for specialised skills and expertise. For example,
PAM-as-a-Service can now easily be consumed from the cloud – securing
privileged access to critical assets without the need for
implementation.

The right PAM solution will leave organisations in a much stronger
position to protect their privileged accounts from cyber criminals who
have adopted credential theft and escalation as their main modus
operandi. With proper planning and a flexible and scalable approach,
companies can reap the benefits without the implementation headaches
of legacy solutions.