Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Privileged Access Management Analytics: Make Your Data Work for You

Written by Sara Shuman

May 4th, 2021

When time is a resource you don’t have — you must make your data work for you.

IT teams face an ever-evolving and expanding environment compounded by a shifting remote workforce, increase in BYOD policies, expansion of the attack surface, and pivot towards the cloud. Users and endpoints have left the office and are now that much more difficult to analyze, manage, and keep in compliance.

This leaves IT teams with no choice but to treat all users as privileged users and to gather and analyze data on all of them. But organizations often have two to three times more privileged user accounts than individual employees. What’s not increasing — the number of hours in a day.

How do IT teams that are strapped for resources manage?

With the power of machine learning (ML) and artificial intelligence (AI), security teams are now able to be proactive in their continuous monitoring and threat detection — enabling them to respond in minutes, not months. This starts with a learning period to establish baseline behaviors, including user activity, time of access, and secrets accessed, among others. Understanding user baselines is key to identifying what alerts need further analysis.

So, what behaviors should be observed? It’s important to know the warning signs of privileged access abuse in order to identify and remediate malicious activity. These red flags include:

  • A sudden increase in privilege account access by certain users or systems
  • Atypical access of privileged accounts or secrets
  • A high volume of privileged accounts being accessed at once
  • Accounts accessed at unusual times of day or locations

However, collecting this behavioral data simply isn’t enough, and generating excessive email alerts with false positives creates distractions and frustrations – ultimately leading to alert fatigue. Automating the detection of cyber risk arms security teams with the power to identify threats and stop cyber criminals in their tracks.

How can IT teams that are strapped for resources respond?

As outlined above, IT and security teams need to effectively leverage ML and AI technologies to identify, analyze and protect against malicious activity.  As the privileged account attack surface expands, gaining insights into privileged account access and user behavior becomes even more critical.  Thankfully, modern technology automates this process and relieves IT and security teams of tedious manual analysis and alert fatigue.

Thycotic’s Privileged Behavior Analytics (PBA) integrates directly with the Secret Server PAM solution and allows IT teams to prevent, detect, and respond to anomalies in privileged account behavior and identify potential breaches.

With PBA, administrators can easily determine which actions should follow which warnings or alerts. This way, a suspicious user’s actions are either limited or stopped completely without requiring human action. These responsive actions include:

  • Two-Factor Check: Simple. This forces the user in question to pass a two-factor check to ensure they are the person they claim to be—even if they already had to pass a two-factor check when they first logged in.
  • WebHooks: Sure, email alerts are nice, but are they the most effective? WebHooks allow PBA administrators to create customized actions in addition to the email alert and any responsive actions. Create a ticket in ServiceNow, ping someone in Slack, or even shoot a text. WebHooks can do it all.
  • Risk-Based Session Monitoring: smile, you’re on camera, or at least being recorded. If the user in question sets off a trigger, their sessions will be recorded. The Session Monitoring notification can also be disabled so that the user doesn’t realize they’re being recorded.
  • Request Access: This stricter method of control requires the user to request permission to view any additional secrets stored in Secret Server. The user in question won’t notice anything out of the ordinary until they’re forced to submit the request and wait for approval.
  • Lockout: This is the last resort. If human intervention is required and further review is needed, this can lock the user out until the activity has been investigated and a solution has been found.

The Verizon Data Breach Investigators Report (DBIR) reveals that over 80% of all hacking-related breaches are due to stolen or brute-forced credentials. Make your data start working for you and improve your threat intelligence with advanced analytics.

Want to learn more? Jumpstart your PAM journey with these free resources for IT Admins:

FREE IT Tools

FREE IT Tools

IT Admins: Our collection of free IT tools makes your life easy and your organization safer!

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS