This is the third in a weekly four-part series providing practical insight on how to best implement an effective Privileged Identity Management program.
In the first post of this series, we provided an introductory overview of Privileged Identity Management. Then, in part two we covered the basic check off items required for a Privileged Identity Management program. This week we’ll talk about taking Privileged identity Management to the next level – proactive cyber defense.
Privileged Identity Management is one of the few areas in IT security where you can truly address the threats, both external and internal, that are prevalent today. It goes beyond simply monitoring and analyzing threats to the point of actually fighting back.
Download the white paper Best Practices in Privileged Identity Management to get your complete guide to securing privileged identities.
Here are four ways to make your Privileged Identity Management platform the keystone of your proactive cyber defense strategy.
Move Beyond Passwords
Most conversations about controlling privilege quickly morph into discussions about controlling passwords. That makes sense. Everyone understands passwords. But passwords are only part of the overall risk exposure. There are things other than passwords that must be found, brought under management and rotated aggressively. Here are three things to focus on:
- SSH keys, which allow remote logins with no passwords for any accounts, including root and other privileged identities
- AD group memberships, which give out authority in AD-connected systems that is often the equivalent of rights held by administrative accounts
- Sudo, which allows regular accounts to use privileged entitlements or become privileged identities, sometimes without requiring extra authentication
The idea that should drive you is this: every way that people log in or use privilege should be a target for Privileged Identity Management.
Use Closed Loop Discovery
The only thing that stays the same is the fact that everything changes. You may have all your privileged identities under control today. But there could be changes tomorrow that cause you to be partially out of control. Trying to address this manually is a game of whack-a-mole you can never win.
What you need is a discovery process that makes sure your systems do the keeping up for you. Of course, different systems will allow different modes and levels of discovery. That means one size will not fit all.
You need a Privileged Identity Management platform can do discovery for the places where it’s well supported by the platform, e.g. on Windows servers, Linux servers and other systems connected to AD. For discovery in other areas, you likely need to branch out and integrate with other IT systems like CMDB and management platforms.
Discovery isn’t the whole story, though. Once something is discovered, it must be brought into the system, analyzed and made available for management. That’s where the “closed loop” part comes in. Simply going out to scan and producing a report is not enough. Discovery needs to result in action within the platform.
And if a new system comes online, it needs to immediately get the same protection as all the other systems in its class. In today’s reality, we need to assume that we’re already breached. It’s too risky to wait for a manual process.
Control and Record Sessions
Ultimately, you will need to expose yourself to some risk because humans need privileges to get their work done. In many cases, though, you can drastically reduce this risk by making sure they never touch the privilege they wield and letting them know they’re being watched.
For routine IT tasks, the best practice is to simply give your administrators fully formed sessions which are recorded. This way they never know any passwords or other details, but they can get the work done just the same. The less they have to touch, the less there is at risk.
Having a recording to go back and look at from a forensics standpoint is also good. But the better part of recording is often the effect it has on the mindset of the person using the session. People behave much better on average when they feel they are being observed.
Tie Privileged Identity Management into your SIEM
Generally, Privileged Identity Management is seen as a proactive control. You put it in place to prevent issues before they happen. However, it works just as well as a reactive control.
When threats of any kind raise an alarm, you can be sure that 99 times out of 100 those threats are trying to capture privileged credentials to do harm. You should react to this with a Privileged Identity Management system that can jump into action and rotate credentials as fast as possible.
Changing that one critical password at the right moment could make the difference between your being a headline or a hero.
Where We’ll Go Next
In the final part of this series, we’ll dive into advanced Privileged Identity Management best practices.
Learn More About Privileged Identity Management
Learn more in the authoritative guide – Best Practices in Privileged Identity Management.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.