Privileged Account Management and Monitoring

26 Jul Privileged Account Management and Monitoring

System and network administrators require a privileged account to perform higher-level activities within a network.  These activities include changing settings, working with logs, provisioning new accounts, or managing sensitive datasets. These accounts require careful control and monitoring due to their ability to cause significant harm to the organization if used maliciously.

The nature of this risk means that organizations must take steps to monitor the activities of privileged users to watch for signs of compromise or misuse. Additionally, IT leaders should ensure that their organizations issue privileged accounts in a very conservative manner and carefully control the privileges assigned to those accounts.

Privileged Account Monitoring

Organizations should design careful monitoring practices around their existing privileged accounts. First, they should watch for signs of account compromise. For example, you might want to create rules in your security information and event management (SIEM) systems that watch for:

• Privileged account use at unusual times or from unusual locations
• Simultaneous logins from disparate locations
• Unexpected increases in privileged account utilization
• Abnormal actions by privileged users

In addition to watching for indications that a privileged account is compromised, organizations should also monitor the activities of authorized users for signs of misuse. For example, auditing systems might red flag the following activities:

• Deletion of log files or other audit trails
• Restoration of backups of sensitive systems
• Access to highly sensitive information that doesn’t match job responsibilities
• Modifying security settings

SIEMs often include rulesets that provide a good starting point for these activities, but security analysts should craft and tune these rules to meet the specific needs of their organizations.

Least Privilege and Separation of Duties

Another way to protect against the abuse of privileged accounts is by following the principle of least privilege. This requires two separate actions.  First, organizations should limit the assignment of privileged accounts to individuals who absolutely need them.  Second, organizations should restrict  the permissions assigned to those accounts to the minimum set necessary to perform an individual’s job.

In practice, least privilege can be difficult to implement and manage. It’s far easier to simply give wide-ranging privileges to everyone in the IT department. This approach does require additional thought to implement and maintain, but it dramatically reduces the risk to the organization should a privileged account become compromised.

Another key principle is separation of duties.  This idea helps businesses in terms of auditability and in terms of keeping the network secure. The idea is that different privileged accounts can have different sets of privileges, and when these overlap less, there’s less of a threat of someone really doing intensive damage inside the system. For example, if one person is responsible for approving new user accounts and another person is responsible for creating them, no one person can single-handedly create a new user, reducing the likelihood of fraud.

Privileged accounts are a critical point of risk for organizations of all sizes and across industries. Security teams should take the time to assess their current privileged account management practices and make sure that they align with these best practices.