Best Practices to Prevent Privileged Account Abuse

Today we feature a guest blog post from SolarWinds. Check out this informative article about Best Practices and your SIEM solution.

If you are the IT security manager of a company that has even more than one system you have two scenarios:

  1. The system admins have individual super-user access to each of the datacenter servers.
  2. The admins share the privileged user credentials to those servers.

The former is best practice, and the latter a headache; especially if one of them becomes malicious, for any reasons. steampunk_victorian_magnifying_glass_icon_mk6_by_pendragon1966-d5h4eq9

In scenario #2, when a server goes down, you won’t be able to quickly identify who made what changes, whether accidentally or deliberately causing service disruption. In all probability, you may guess who the malicious person is, but it will be hard to prove as it’s a shared account. Now, what if you have hundreds of servers, and 50 system administrators sharing credentials? This is all getting to a level that’s too complicated to deal with while investigating security breach.

The 2015 Verizon Data Breach Investigations Report states that more than half of the security incidents (55%) were from privilege accounts abuse. Roughly, that’s about 44,000 incidents. And, that’s a worrisome figure, though not unmanageable with the right security strategy and tools. This may be an insider threat, or simply a case of using a compromised super-user account from the outside – it could be one of your ex-employees. You may never know if you don’t have the right tools and processes in place.

So, what’s the best way forward?

Stop sharing passwords

Sharing passwords among system admins or using service accounts only complicates credential management, and makes tracking difficult from an investigative or audit standpoint. Look for a solution that will integrate with your existing active directory setup, and one that will help you create groups and delegate permissions individually. When someone does login with administrator or privileged accounts, you should be alerted or receive a regular report to review that activity.

Collect and manage logs centrally

Having a centralized console to automatically collect, monitor and audit events relating to super-user accounts helps in faster incident response or breach mitigation. You may dig into the specifics of each and every log file, and analyze patterns. If this exercise is manual, it’s cumbersome and inefficient. You have to automate it with the right tools and security strategy.

Setup Notifications/alerts in case of an anomalous activity

Create individual notifications/alerts for each type of login event that applies to a group or groups. Clearly define the correlation logic with respect to a specific activity, number of events within a time interval, and the resulting actions. Examples:

  • Sending an email to the IT manager when a new member is being added to an admin group
  • Alerting when multiple administrator logon failures are happening in a span of 1 minute

 Become compliant & schedule audits

Regulatory compliance standards such as PCI DSS, SOX, HIPAA, etc., require that you have full accountability of your super-user accounts and activities. Periodic audits of the administrator account or admin group accounts is essential to not only identify anomalous behavior(like account changes, user logon/logoff, software installs, failed logons, stopped processes, etc.) but also to comply with industry requirements and audits.

Whether you manage a startup environment or an enterprise, curbing privileged account abuse should be one of your top priorities in your security policy. The policy must do away with manual time-consuming log analyses and threat detection, and move towards an automated solution encompassing security information and event management.

The Enterprise Tech Buying Process is Changing: Q&A with IT Central Station’s CEO

Russell headshot 2015

Recently our founder and CEO Russell Rothstein sat down with the folks at Fluke Networks for a Q&A session about the rapidly changing enterprise tech buying process. Here is an excerpt of the interview: Q: Can you tell us the story behind IT Central Station? Russell: I’m a firm believer in starting a business based on helping […]

Continue reading...

SolarWinds LEM vs. LogRhythm vs. AccelOps: SIEM Review Roundup


This week’s review roundup includes a selection from recent reviews of Security Information and Event Management (SIEM) solutions, and was written by IT Central Station community members. SIEM technologies provide real-time analyses of security alerts, can log and track security events, and can generate reports based on those data. Choosing the right SIEM solution for your […]

Continue reading...

Roundup of Latest Reviews: Solarwinds NPM (Network Monitoring Tools)

IT Central Station covers a gamut of technology products and services that are used every day to power the business of Fortune 1000 and Global 2000 enterprises. In today’s post, we’ll give you a taste of one of the latest reviews that have come in for Solarwinds Orion, one of the many network monitoring tools listed […]

Continue reading...

The Weekly Roundup: Tableau Reviews

This week’s roundup explores business intelligence reviews for a solution called Tableau. It is one of the fastest growing BI tools in the market. There are so many solutions on the market and it’s hard to know which is best for your organization. Today, let’s see what our real users are saying about Tableau. Here […]

Continue reading...

Celebrating 100,000 Registered Users and More!

100k Registered Users on IT Central Station

On behalf of the IT Central Station team I’m thrilled to announce that we have passed 100,000 registered users. Thanks for being a part of our fast growing community! Not only are there more of you, but you’re coming from some of the leading businesses in the world. According to our visitor traffic analysis, 88% of the Fortune […]

Continue reading...

Top BI Comparisons of 2015

The 2015 year definitely shined on many vendors who provide business intelligence (BI) software and solutions to most fortune 500 and 100 enterprises. The following list shows us the top BI vendor comparisons for 2015 with the most activity on IT Central Station—what users are talking about, reviewing, recommending, and of course providing some constructive criticism: Pentaho vs. Tableau […]

Continue reading...

Top Backup Solutions – 2015 Edition


In any modern company, accidents happen. Hard drives become corrupted, viruses wipe out software, files get lost. Backup solutions create copies on local drives or media, disk imaging software creates a snapshot of your entire drive, and online backup services automate uploading your data to secure off-site storage. According to the IT Central Station community, the most […]

Continue reading...

HP Testing Tools Review Roundup: HP Quality Center and HP LoadRunner


This week’s review roundup is two testing tools – HP Quality Center and HP LoadRunner. Reviewers on IT Central Station have a lot to say about these solutions. Here are a few examples: HP Quality Center – “Valuable Features include the test suite upload feature, Document builder and the test run process. Helps in providing an […]

Continue reading...