Today we feature a guest blog post from SolarWinds. Check out this informative article about Best Practices and your SIEM solution.
If you are the IT security manager of a company that has even more than one system you have two scenarios:
- The system admins have individual super-user access to each of the datacenter servers.
- The admins share the privileged user credentials to those servers.
In scenario #2, when a server goes down, you won’t be able to quickly identify who made what changes, whether accidentally or deliberately causing service disruption. In all probability, you may guess who the malicious person is, but it will be hard to prove as it’s a shared account. Now, what if you have hundreds of servers, and 50 system administrators sharing credentials? This is all getting to a level that’s too complicated to deal with while investigating security breach.
The 2015 Verizon Data Breach Investigations Report states that more than half of the security incidents (55%) were from privilege accounts abuse. Roughly, that’s about 44,000 incidents. And, that’s a worrisome figure, though not unmanageable with the right security strategy and tools. This may be an insider threat, or simply a case of using a compromised super-user account from the outside – it could be one of your ex-employees. You may never know if you don’t have the right tools and processes in place.
So, what’s the best way forward?
Stop sharing passwords
Sharing passwords among system admins or using service accounts only complicates credential management, and makes tracking difficult from an investigative or audit standpoint. Look for a solution that will integrate with your existing active directory setup, and one that will help you create groups and delegate permissions individually. When someone does login with administrator or privileged accounts, you should be alerted or receive a regular report to review that activity.
Collect and manage logs centrally
Having a centralized console to automatically collect, monitor and audit events relating to super-user accounts helps in faster incident response or breach mitigation. You may dig into the specifics of each and every log file, and analyze patterns. If this exercise is manual, it’s cumbersome and inefficient. You have to automate it with the right tools and security strategy.
Setup Notifications/alerts in case of an anomalous activity
Create individual notifications/alerts for each type of login event that applies to a group or groups. Clearly define the correlation logic with respect to a specific activity, number of events within a time interval, and the resulting actions. Examples:
- Sending an email to the IT manager when a new member is being added to an admin group
- Alerting when multiple administrator logon failures are happening in a span of 1 minute
Become compliant & schedule audits
Regulatory compliance standards such as PCI DSS, SOX, HIPAA, etc., require that you have full accountability of your super-user accounts and activities. Periodic audits of the administrator account or admin group accounts is essential to not only identify anomalous behavior(like account changes, user logon/logoff, software installs, failed logons, stopped processes, etc.) but also to comply with industry requirements and audits.
Whether you manage a startup environment or an enterprise, curbing privileged account abuse should be one of your top priorities in your security policy. The policy must do away with manual time-consuming log analyses and threat detection, and move towards an automated solution encompassing security information and event management.