Combat Insider Data Breaches with Privileged Access Management

By Csaba Krasznay, Security Evangelist,Balabit

When it comes to cyber security, financial institutions are generally quick to adopt new technologies, though many organisations are still hamstrung by legacy infrastructure and applications. A recent study from IBM found that financial services organisations are breached on average 65% more than organisations in any other industry. So, with the ever-increasing attacks to banking infrastructure from sophisticated cyber-criminals, one of the biggest challenges facing banking IT is investigating incidents and recovering as quickly as possible.

Csaba Krasznay
Csaba Krasznay

The increased risk to banks is due to the massive amounts of sensitive data they keep stored, which can provide immense financial gains for cyber-criminals. Financial organisations must also comply with industry and government regulations which require them to monitor and record all access to their sensitive information. For this reason, it’s now more important than ever for banks to protect their clients’ identities and their own privileged users’ accounts, which are top priority targets for criminals. However, this can present a challenge due to the large, distributed IT networks typically operated by international financial organisations, often managed by hundreds of system administrators.

In such large distributed environments, having enough employees focused on security can be almost impossible. Whilst password based authentication can help restrict access, hackers can easily infiltrate financial IT system accounts using social engineering tactics. There is also the problem of the malicious insider, or employees who have decided to go rogue. Banking security managers must look for advanced security solutions, which allow them to focus on insider threats and monitor user activities in real-time, and make sure to continuously audit who is doing what in their IT systems.

Effective incident response

Following an incident, the simple question of ‘who did what’ is one of the most critical, but it’s also the most difficult to answer. Organisations want to determine the root cause as quickly as possible, to meet government and compliance regulations. This can often involve security teams analysing thousands of logs during an investigation, which is time and resource intensive. When an incident includes privileged account access, this can present even more of a challenge.

Privileged insiders and external attackers in control of hijacked credentials can easily cover their tracks by modifying or deleting log files, making it that much harder to determine the roots of the attack. It’s because of this that hijacking privileged accounts has become a popular method of attack for criminals.

What can banks do to manage privileged access incidents?

Firstly, financial organisations must have a proper access policy implemented, which should be based on the least privilege rule.They should also be able to detect potential insider threats at the earliest stages.

The best way to speed up the incident response process is to deploy a privileged access management (PAM) solution. These kinds of solutions can act as centralised authentication and access-control points in the IT environment, which in turn provides access control, session recording and auditing to prevent security breaches and speed up forensics investigations. Additional security that doesn’t burden users with more constraints can be achieved by deploying an agentless, transparent proxy technology. The data collected from the monitoring solution can be used to build detailed profiles of each privileged user to demonstrate baseline ‘normal’ behaviour and then privileged account analytics can be used to spot anomalies as they happen, which are then flagged to the security teams who can then tackle potential breaches as they occur.

What are the advantages of agentless, proxy technology?

Proxy technology works in the same way as a web proxy.When an HTTP(s) connection is initiated to a web server, the web proxy terminates it, checks the access rules if this connection is enabled for the user, and initiates a new connection to the web server. So, the client communicates with the proxy and the proxy communicates with the server, but both endpoints think that they are communicating with each other. Privileged session management tools do the same thing with the supported administrative protocols. The technology acts as a proxy between the privileged user’s workstation and the protected server. The transferred connections and traffic are then inspected on the application level, rejecting all traffic which violates the protocols. This proves a very effective deterrent against attacks.

Easing the limitations of SIEMs with PAM tools

Security Information and Event Management (SIEM) systems have become central to enterprise security management, in order to process and correlate alerts coming from various security systems. However, SIEM tools can be limiting, as they rely on being fed only by system log messages and they lack contextual information on privileged user activity. As privileged accounts are the main target for cyber criminals, financial organisations need to move towards collecting comprehensive data on privileged activities as a priority in order to finesse the incident response process.

Another issue presented by these tools is that they only look for threats that have already been identified and fall under their pre-configured rules. So, if an attacker were to use a new method of attack, the SIEM will be unable to detect it, as it is unaware that it even exists.

This can lead to analysts being so overwhelmed with security alerts generated by SIEMs that they can struggle to evaluate which alert should be analysed first. Even if they have a shortlist of alerts, they have limited time to investigate and decide if a red-flag alert is a false positive or indicates an actual incident.

Following a breach, Privileged Access Management (PAM) tools can help to increase incident management efficiency adding information sources which can detect and analyse privileged user threats. Rapid investigations and making quick, well-informed decisions present a challenge for organisations and require data in real-time to shed light on the context of a suspicious event. In these situations, an access management tool can provide risk-based scoring of alerts, fast search and easily digestible evidence. As cyber-attacks become the new reality for banks and financial organisations, coupled with the introduction of more stringent compliance requirements, banks must be better prepared to deal with incidents and recover quickly. Without relevant and reliable data recordings of individual user sessions, incident investigations can be expensive and in some cases, inconclusive.

By deploying advanced Privileged Access Management (PAM) solutions, organisations can collate and analyse information about privileged access. The ability to easily reconstruct and analyse user sessions reduces the time and costs of investigations. They also provide risk-based alerting, and searchable, easy-to-interpret records about user activities, so analysts can quickly find the root cause of a problem. All in all, a PAM tool provides a fast return to value in a specific challenge – investigation of incidents related to privileged accounts. They can be seamlessly integrated into SOC environments, making security operations more effective.

How does account high-jacking work?

Criminals steal the credentials of a privileged account employee, such as the system administrator and, acting as a legitimate user, gain potentially unlimited access to sensitive customer data and underlying infrastructure such as servers and databases. This makes it possible to steal data on an unparalleled scale, disrupt critical infrastructure and even install malware. As attacks usually unfold over a period of months, this allows intruders the time to perform reconnaissance, escalate privileges as well as covering their tracks and stealing data.