Every year we are told that the cyber threat landscape is rapidly evolving and that attackers are adapting faster than we can deploy security solutions. Organizations must defend against an ever-expanding attack surface made even more complex with digital business transformation, bring-your-own-everything, and the Internet of Things (IoT) revolution.
Compartmentalized approaches to security in which a different set of controls are applied to the data center — desktops, mobile and public cloud — are proving less effective as critical work occurs and data resides across all media. As such, many enterprise security programs focus on not just deploying more security, but also building cyber resilience.
Cyber resilience is the ability to withstand or quickly recover from a cyber attack. Even if an attacker obtained unauthorized access, the activity would be detected, responded to, and business disruption would be minimized. The challenge is that achieving cyber resilience can be a long journey. There is, however, one key control that can be implemented quickly and is a vital component of withstanding an attack: privileged access management (PAM).
PAM is an Essential Cyber Control
Privileged credentials hold various keys to the enterprise kingdom and are primary targets for attackers. The 2018 Verizon Data Breach Investigations Report (DBIR) found that stolen credentials was the most prevalent method of attack across all successful breaches. A Forrester survey of network security decision-makers whose firms have had a security breach in the last 12 months found that the resulting top two changes in those organizations were to increase spending on prevention and network detection technologies.
Adding security controls on prevention and detection can always help raise security posture. Consider, however, that controlled use of administrative privileges as a single control can drastically reduce risks of a significant breach. It is one of the basic CIS Critical Security Controls. Along with patching and application whitelisting, restricting administrative privileges can mitigate at least 85% of intrusions, according to the Australian Signals Directorate.
Even organizations that have already implemented an identity and access management (IAM) solution need to control privileged access. With automated passwords and key rotation, PAM is more than just identity management for admin users; it also lets them control, monitor, audit and record privileged sessions. Indeed, isolating secure privileged user sessions is an important layer of a defense-in-depth strategy as it significantly narrows the attack surface.
Resilience Addresses All Manner of Attacks
Narrowing the attack surface against privileged access starts by implementing least privilege access control. One key attack path is local admin rights on endpoints. PAM allows an organization not only the ability to protect against admin credential theft with secrets management, but also the visibility to know which of the thousands of endpoints are under PAM-control. Endpoints not under PAM-control can be prioritized and updated as appropriate.
Another PAM benefit for endpoint security is to enforce least privilege and application control. By not doing so and allowing an authenticated admin user to run any command opens the door for malware to obtain a foothold (assuming a successful attack), and allows for insider malfeasance or inadvertent, unauthorized activity (i.e., accidental execution).
While other endpoint security layers such as endpoint detection and response (EDR), and next-generation anti-virus (NGAV) may detect malware, normal but unauthorized privileged access often slips through malware detection. To build resilience against all manner of attacks, privileged access should be authorized through workflow, isolated to a specific user/system/time/location, and controlled with the principle of least privilege.
Lastly, PAM should cover not just human users but also nonhuman service and application accounts. This is even more important for non-interactive systems such as IoT devices and IT infrastructure where an intrusion is more likely to go unnoticed. As we have seen with the Mirai botnet and the recent VPNFilter malware, which exposed admin interfaces on devices with infrequent patch cycles as prime targets, organizations that were proactive with privileged credential management were unaffected by these attacks.
Creating cyber resilience is a cross-functional journey across the organization. Withstanding an attack and recovering quickly requires visibility, control, accountability, and auditability throughout the IT enterprise. Privileged access management provides all these benefits while protecting your most critical users and assets.