Over the last decade organizations have been waking up to the fact that most security threats originate from within their organization. That doesn’t mean lots of their employees are acting maliciously, more that they make mistakes that can leave the company’s systems and data at risk of unauthorized access.
This is especially true for privileged users, and so it is crucially important that organizations know what privileged users are doing with their data, and are able to identify suspicious user activity in a precise and timely manner. However, preventing privileged account abuse requires more than simply monitoring user behavior.
Organizations should also receive real-time alerts anytime security policies are violated, or when user activity deviates too far from typical usage patterns. They must also be able to conduct an investigation into all user activities that involve sensitive data. For example, anytime sensitive data is accessed, read, copied, changed, or deleted in a way that doesn’t correlate with a user’s typical routine, an alert must be sent to the administrator, who will review the changes to determine their legitimacy.
The Signs of Privileged Account Abuse
Below are some examples of the activities you will need to watch out for in order to spot privileged account abuse:
- Sensitive data is copied to a personal device, which violates security policies.
- A user accesses sensitive data outside of normal working hours.
- A user tries to access a system that they don’t need access to, and/or are not authorized to access.
- Either a user tries to logon from multiple endpoints at the same time, or multiple users try to logon from the same endpoint.
- An usually large number of changes were made to a document or drive containing sensitive data.
- Accounts that were previously inactive, becoming active again.
It’s worth bearing in mind that attackers are always looking for ways to disguise their malicious behavior. They will, as much as possible, try to take their time and stick to an unsuspicious routine, as to prevent sounding any alarms.
Another cause of privileged account abuse is caused by companies failing to adequately enforce “least privilege” access on all accounts. Users should be granted the least privileges they need to perform their role, and permissions should be revoked when they are no longer required. After all, it is common for organizations to forget to revoke an employee’s permissions, even after they have left the organization. Likewise, contractors, suppliers, and other third parties that have access to their network are often granted more privileges than they need, and these permissions are not revoked when the business relationship ends.
How to Prevent Excessive Permissions
Below is a simple checklist to follow in order to prevent current or past employees and third-parties having too much access to sensitive data:
- Create an inventory of all user accounts.
- Determine which accounts have privileged access.
- Determine whether any of these accounts have excessive privileges.
- Determine what data, if any, is overexposed.
- Establish a procedure to follow when a user’s role is changed.
- Establish a procedure to follow which allows a user to request access to sensitive data.
- Establish a procedure to follow for authorizing requests.
- Establish a procedure to follow for documenting changes to access permissions.
- Discover and disable all inactive user accounts.
What to look for in a Privileged Account Management Solution
There are many Privileged Account Management (PAM) solutions available that will make it easier for companies to prevent, detect and respond to privileged account abuse. In order to choose the right solution, there are certain things you will need to look for, which include:
- The ability to promptly identify an attack or security policy violation before it affects business operations.
- The ability to maintain an immutable record of alerts that can be scrutinized via a single dashboard.
- The ability to keep a score of each user in order to monitor trends and predict malicious activities before they happen.
- The ability to detect and manage inactive user accounts.
- The ability to detect and respond to events that match a pre-defined threshold condition, such as when a large number of files are encrypted, or when multiple logon attempts fail within a given time frame.
Privileged account abuse is very hard to prevent because preventative measures are only effective until the attacker gains access to a privileged account. Likewise, if the threat actor is a malicious or negligent employee, they may already have legitimate access to a privileged account, in which case you will need to focus more on detection than prevention. In order to detect privileged account abuse you first need to establish a baseline of typical user behavior. For example, employees typically operate in the same way, every day. They access the same systems, during certain hours of the day, from a certain location, using a certain device, and so on. Building a user profile by recording these activities will help you identify patterns that can be tested against in order to spot potentially malicious activity.
How Lepide Helps Enhance Privileged Access Management
Privileged Access Management solutions on their own often fall short of providing the level of security and insight required to protect data and meet compliance. Lepide provides added value prior to/in parallel to deployment, post-deployment, and in an ongoing fashion.
If your AD is unclean, then your whole PAM project will be messy. To help you assess and clean up your Active Directory, Lepide can help you identify your inactive users/computers, open shares troublesome accounts, legacy issues with users, passwords that never expire, over-privileged users and more.
You also need to be able to understand your privileged users and their behavior, including how many privileged users you have, whether their behavior is anomalous, what they are doing with sensitive data, and how they are accessing Active Directory. Lepide will help you to find your privileged users and their activities in real-time.
Lepide Data Security Platform will also help you understand where your sensitive data is and why it is sensitive. This is important as it will help you determine which of your users should be able to access the data. The solution will also spot trends in behavior around interactions with this data and identify excessive permissions.
If you’d like to see how the Lepide Data Security Platform can help prevent privileged account abuse, schedule a demo with one of our engineers.