Know Thy Enemy: Threat Analytics Boosts PAM Effectiveness

March 24, 2020 Sam Flaster

Threat Analytics

“Every battle is won before it is fought”
― Sun Tzu, The Art of War

The Art of War, Chinese Philosopher Sun Tzu’s treatise on military strategy, is one of the most influential texts in modern history, influencing strategic decision-making from military command centers, corporate boardrooms and the locker rooms of iconic sports teams. The book is less about the x’s-and-o’s of individual battles than about the discipline of preparation. “If ignorant both of your enemy and yourself, you are certain to be in peril,” Sun Tzu teaches.

This advice serves as an essential reminder in today’s cybersecurity landscape – preparedness and self-awareness are as crucial to cybersecurity as they are to battle. To account for increasingly sophisticated cyber threats, businesses must pivot away from a reactive, compliance-driven mindset towards a more proactive security-first approach. To avoid the dangers of ignorance, businesses need a constant stream of data and intelligence across their security operations, as they can only prepare for the threats that they understand.

Threat analytics tools that analyze security risks associated with privileged access are powerful weapons for strategic Privileged Access Management (PAM) programs. They are also key to applying Sun Tzu’s advice to modern day cybersecurity and becoming more aware of both enemy cyber attackers and the dangers of unmanaged privileged accounts that could put your organization at risk.

Security teams with a PAM program or those that are looking to implement one should leverage PAM providers’ threat analytics capabilities and look also at the analytics capabilities already in use by their Security and Operations teams.

Since most cyber attacks follow the progression of gaining an initial foothold on the network and then moving laterally to escalate privileges, threat analytics tools provide vital risk reduction capabilities and the foundation for an effective PAM program.

Here’s how threat analytics can help organizations improve their security posture and operational efficiency by better understanding themselves and their enemies.

Keep Unsecured Privileged Accounts Off the Battlefield

The Art of War has an entire chapter dedicated to the importance of understanding the “terrain” on which a battle takes place. In alignment with that concept, well-run PAM programs leverage threat analytics to continuously scan and discover unmanaged privileged accounts both on-premises and in the cloud.

A good place to start is with unmanaged Linux, Unix and Windows accounts. Getting unmanaged accounts under control presents a quick win in terms of quantifiable risk reduction.  After unmanaged accounts have been discovered, PAM solution can automatically onboard these accounts, eliminating time consuming and error-prone processes.

Gather Intelligence and Shut Down Attacks in Real-Time

Once unmanaged privileged accounts have been identified, threat analytics capabilities provide consistent controls against risky behavior associated with common attack vectors in SaaS, on-premise and IaaS environments. Threat analytics provide vital context on anomalous activity and privileged behavior that help organizations follow Sun Tzu’s advice to “know the enemy and know yourself.”

Even when organizations manage and protect credentials for their hybrid cloud environments, there is still the potential that these credentials could be left exposed in public code repositories or on end user’s systems. Malicious attackers could find these keys and use them to cause harm – like causing business disruption.

Consider that threat analytics in PAM solutions can detect when privileged AWS access keys have been used without having been retrieved from the PAM solution. Recognizing this indicator of potential compromise, the PAM solution can automatically rotate credentials and alert security teams, providing them additional response time. The same capabilities can help defend against credential theft and other attack vectors in on-premises environments as well.

By analyzing data on the usage of privilege accounts through machine learning and artificial intelligence, threat analytics can establish baseline usage patterns in order to detect behavioral anomalies that could signal in-progress attacks.  Examples include:

  • Behavior that violates user permissions, such as an employee bypassing the PAM solution to reset a password
  • Unauthorized attempts to escalate privileges, including an admin granting himself unnecessary privileges
  • Irregular behavior for a non-human identity, like an interactive log-in for a service account
  • Irregular behavior for a human identity, such as a user retrieving an unusual volume of passwords from a credential vault
  • Dormant users suddenly becoming active, for example, an inactive employee user accounts re-surfacing to access sensitive data
  • Irregular machine usage, like servers signaling heavy workloads during non-work periods

By detecting these and other anomalies, security teams can rapidly investigate or even automatically respond to and shut down potential attacks, helping them heed Sun Tzu’s advice to “fall like a thunderbolt.”

Integrate Privileged Threat Analytics with Other Security Tools

Integrating PAM solutions with other solutions such as Security Information Event Management (SIEM) tools, which log and analyze data to monitor security events, can augment the value of both solutions. By focusing on the most sensitive infrastructure in an organization and the most high-risk activity, PAM solutions can identify risks that traditional SIEM tools may not.

Sharing information bi-directionally between PAM and SIEM solutions can eliminate information silos and unify threat intelligence across the enterprise. This provides SOC teams the ability to strike quickly and rapidly respond to security events.

Sun Tzu said “Know yourself and you will win all battles.”  Threat analytics can help organizations prepare for ongoing battle in the constantly evolving threat landscape by helping to ensure that all privileged accounts are fully managed, monitored and controlled in order to understand the behavior of their adversaries and remediate threats in real-time.

Curious about how threat analytics fits into an effective PAM strategy? Watch this webinar to learn more.

Previous Article
Secure Workflows with Native Privileged Session Management
Secure Workflows with Native Privileged Session Management

From user-friendly web apps like Salesforce to IT-centered functions such as Windows Remote Desktop Protoco...

Next Video
CyberArk and Tenable – Providing Enhanced Vulnerability Insight While Protecting Privilege Access
CyberArk and Tenable – Providing Enhanced Vulnerability Insight While Protecting Privilege Access

CyberArk and Tenable together bring visibility into the privileged access landscape at an organization and ...