When a breach happens, the first question people ask is, “What did the company do wrong?”
The short answer is – it depends.
Get the Free Pen Testing Active Directory Environments EBook
However, we do know one mistake many companies unknowingly make is allowing regular users access to the local administrator account.
And hackers take advantage of that. Hackers – White Hats and Black Hats – study Active Directory (AD) backwards and forwards. They know all the tricks to find and exploit any hole in your AD schema. Privileged accounts are like leaving them a gift-wrapped present with their name on it.
“Hackers are trying to get in, and they’re using people’s user credentials. Then they’re hopping around until they get a privileged account,” says senior security director Jackson Shaw.
You need to understand how to make it difficult for a hacker to infiltrate AD. More importantly, you need to know what to look for when they do.
What is The Difference Between Privileged Access Management (PAM) and Identity and Access Management (IAM)?
Privileged Access Management (PAM) is the monitoring and security involved with privileged accounts. Privileged accounts are accounts that have greater security permissions or risk than a “standard” user in your environment.
PAM focuses on the accounts that have greater capabilities and capacity to harm your network, which is a different task than managing every user.
PAM Account Examples
Any account with elevated permissions or status in your company is a privileged account. You need to monitor every sysadmin, C-level, or service account differently than other user accounts. Here is a list of the normal privileged accounts.
- Local Administrative Accounts: Any account that is part of the local administrator group on any computer is a privileged account.
- Service Accounts: Accounts that you use to operate applications are service accounts. In general, they only exist to allow an application to do its job and do not have permissions outside of that responsibility. These accounts could access OS, files and folders, and/or databases.
- Domain Admin Accounts: Domain Admins have privileges across all systems and users on the network domain. These accounts have god-mode privileges.
- Privileged User Accounts: You know that user you granted local administrative access on that one computer that time? That account is now privileged.
- C-level Accounts: Privilege doesn’t only mean access to computer systems, it can also mean influence. Think about it, you react differently if you get an email from the CIO than you do your peers. Hackers use this influence in their whale-phishing attacks.
How Does PAM Work?
So how should you set up your PAM initiatives to get the best protection for your privileged accounts?
Well-known security standards and frameworks such as SANS Critical Security Controls, NIST 800-53, ISO 27001, NIST Cybersecurity Framework, and COBIT 5 address many common security issues in various ways. However, their recommendations for managing privileged accounts are fairly similar.
These are their tips:
- Track the use of administrative privileges. Monitor and audit every change made by privileged accounts and use data security analytics to analyze activity that is out of character for any privileged account. Admins need two accounts, one for their primary usage and a second account for their privileged access that they only use to make network changes.
- Remove privileged accounts from all users where system administration isn’t part of their responsibilities. Each user account only needs the minimum permissions to do their work. Implementing the Least Privileged Model protects you during cyberattacks by limiting the movements of the attackers.
- Incorporate your privileged account management strategy with your plan to protect your organization’s most sensitive data. You’ll find that if you go through the process below, you’ll also automatically meet the privilege account requirements with Payment Card Industry Data Security Standard (PCI DSS), Federal Financial Institutions Examination Council (FFIEC), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and more.
Here’s what you’ll need to do:
- Take an inventory of your organization’s privileged accounts, users and groups, as well as your file systems.
There could be hundreds and possibly thousands of administrator accounts on your network today. Identify them. Locate user and group structures and file system permissions. Then map directory services and file systems together to build context about users and their roles – what data they can access, how they get access, and where they have access across a multitude of servers or disparate platforms.
- Identify your organization’s most sensitive data.
Scan your file systems for sensitive data based on pattern, string, and dictionary matching, and/or incorporate results of other manual or automated classification efforts. Locating your organization’s sensitive or regulated data will help you prioritize your protection efforts.
- Audit all file system, email, and user and group activity
Monitoring and logging access to your data, emails, Active Directory, DNS, and VPN give you all the data you will need to detect cybersecurity threats and unauthorized access to your data. You will need an excellent correlation engine with pre-built data security threat models to analyze all of that data.
- Monitor administrators, service accounts, executives with more scrutiny.
Once you identify privileged accounts – administrators, service accounts, or executive – you’ll want to monitor them knowing they are targets for hackers during a cyberattack.
What are The Advantages of Privileged Access Management?
PAM’s biggest advantage to your business is data security. It’s remarkably easy for hackers to move laterally through a network. PAM builds barricades in your network that can contain and prohibit an infiltrators movement through your network. These are barricades of access rights. A hacker won’t be stopped, but they will be limited. Hackers will need to steal several accounts to steal the data that makes their efforts worthwhile, and that buys you time to detect and neutralize their efforts.
Other advantages of PAM are:
- Moves your organization towards a least privilege model, which is a big part of security and compliance like NIST, SANS, GDPR, and HIPAA
- Keeps access rights in focus, so you maintain a secure environment
- Provides audit data about privileged account activity
Traditional Privileged Access Management versus Modern Privileged Access Management
Previous iterations of PAM proposed an overly complicated system of password vaults and privileged session manager (PSM) implementations. PSM systems control how users login to privileged accounts. The problem with these systems is that they are both a single point of failure. If either one of these systems fails, your sysadmins and other privileged users can’t do work. Think about what kind of users we classified as privileged. Service accounts that provide business services to large parts of your organization and executives and C-level users. Could you afford a failure in a single system that crippled your entire organization?
The modern PAM implementations focus on implementing and maintaining a least privilege model and monitoring activity with advanced data security analytics. Least privilege gives users (privileged and otherwise) the access they need to do their job. Monitoring and data security analytics detect changes in behavior that could indicate external or insider threats at work. Those two paradigms keep your business churning with the protections you need to protect your data.
Varonis provides the functionality you need to implement and support PAM. Varonis maps your data to highlight over permissive folders and at-risk accounts. Varonis automates clean-up of common folder issues like global access groups. Varonis monitors and audits file activity, Active Directory, emails, VPN, DNS, and web proxy data.
Then Varonis compares all of that data in context to established behavioral baselines and a library of data security threat models. Current abnormal behavior that matches a threat model will throw an alert and provide your team with the forensics you need to track down and neutralize the threat.
And finally, Varonis enables you to manage your PAM implementation by creating a workflow to provision and audit permissions that puts data owners in charge of their data. When data owners are empowered to protect their own data, your data is safer from unmitigated access. This workflow also saves your organization on IT costs to maintain least privilege.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.