Intelligent CISO Issue 24 | Page 49

Peter Draper, Technical Director EMEA, Gurucul I It’s widely accepted by today’s cybersecurity departments that many serious data breaches can be traced back to the abuse of privileged credentials and yet teams still struggle to integrate this realisation into day-today operations. On the face of it, this shouldn’t be happening. Organisations have been making big investments in IT security tools such as Security Information Event Management (SIEM), next-generation firewalls and intrusion prevention systems (IPS), as well as a variety of anomaly detection systems, email and web filtering and Data Leak Prevention (DLP). Despite this, data breaches continue to plague companies, with new avenues for attack appearing such as unsecured Remote Desktop Protocol (RDP) and VPN servers, oiled by a steady flow of software vulnerabilities, including ‘surprise’ zero days. Organisations feel compelled to open their networks to cope with an increasingly mobile, remote workforce, to the cloud and IoT, and to enable a complex web of remote access used by suppliers and service providers. Many of those connections, including those to cloud applications, are accessed using powerful privileged account credentials that represent a security risk. These accounts are difficult to find and controlling and monitoring access to them is challenging. From the attacker’s side, bypassing these privileged account credentials to access sensitive systems is little more than a percentages game. With so many avenues to target them – social engineering, phishing attacks, zero days and collaboration with malicious insiders – penetrating an organisation’s network is about patience. If at first you don’t succeed, keep trying because it’s a certainty that a new weakness will emerge. Once armed with the credentials to get behind an organisation’s defences, attackers look to grab what they can, such as SSH keys, certificates and domain admin hashes to move laterally on the network. It’s a despairing thought FEATURE that among the thousands of privileged accounts attackers might aim for, it takes only one to seed a major data breach that brings an organisation to its knees. Privileged Access Management (PAM) This isn’t just about threats from outside the organisation, but the ones emanating from inside it too. According to Gurucul’s Cybersecurity Insiders’ 2020 Insider Threat Report, security professionals are well aware of the threat posed by unsecured privileged accounts, with 63% agreeing that privileged users pose the biggest risk from inside an organisation and 68% saying they felt vulnerable to insider attacks generally. Almost all of these organisations will have deployed multiple layers of security solutions to contain threats from outside the organisation, but conventional security tools do not defend against privileged account misuse. When the same scenarios are modelled inside the network, there is often no defence at all. A major problem hindering organisations has been the inherent difficulty in identifying and securing privileged accounts A major problem hindering organisations has been the inherent difficulty in identifying and securing privileged accounts, including those in the cloud. Consequently, many invested in Identity and Access Management (IAM). While IAM is good at managing user identities tied to a known person, it struggles to cope with identities that aren’t defined in this way such as admin accounts used to manage IT resources. Finding these www.intelligentciso.com | Issue 24 49