Event Recording

Morey J. Haber: 10 Steps to Universal Privilege Management

Log in and watch the full video!

Virtually every cybersecurity breach today involves the exploitation of privileged access. Privileges are initially exploited to infiltrate an IT environment; once compromised by threat actors, privileges are further leveraged to move laterally, access assets, install malware, and inflict damage.

In this session, learn 10 key steps to achieving Universal Privilege Management, and how it is used to secure every user, session, and asset across your IT environment. Covered topics include: 

  • Why relying on password management alone leaves dangerous gaps in protection
  • Disrupting the cyberattack chain with privileged access security controls
  • Essential steps to achieving rapid leaps in risk reduction
  • Keys to a frictionless PAM solution that is invisible to end users

We will also share how the BeyondTrust Privileged Access Management (PAM) platform enables absolute control over every privilege in your environment to drastically reduce your attack surface and windows of exposure, while boosting business productivity.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
I'm just used to going into it, but I oh, good. We'll talk a little bit about beyond trust and then a little bit about sale point and beyond trust going together as a co-sponsor. So let's begin with the privilege threat landscape. The attack surface for privileged accounts continues to expand. Really, if we think about it this way, 20 years ago, our privileged accounts were really only on a raised floor within a data center. They may be shared among a key key set of individuals or a few people. And if you left the office, you left the data center. It didn't really matter if you knew those privileges, cuz there was no way to use them outside of the office. There was no real good connectivity into that raised floor. We know that has changed today. 10 years ago, we introduced the cloud hybrid cloud and we started seeing privileges expand.
We started using virtual machines in the cloud and SaaS applications and even virtual machines on end users machines to do development or for systems engineers to do demos. And we started to see that proliferation of privileged accounts. Even if you removed admin rights, 10 years ago, an engineer spinning up a virtual machine could still have an operating system on that device with admin rights and really do whatever they wanted. And that posed a risk and a liability to the business. Today we have all sorts of internet of things. We have DevOps, we have all types of automation and we have in the future, even more admin accounts, as we expanded push with modern technology to the cloud and the situation with remote workers and COVID, we're seeing privileged accounts in places we have never expected before. And this really expands the attack surface because if those privileges abused anywhere at any time, they could become a liability to the business.
Now, some statistics that back that up are fairly straightforward. Look all the way on the right for starters, 88% of critical Microsoft vulnerabilities can be removed by mitigating admin rights. This is based on a beyond trust research study that we do every single year. And essentially we look at all of the published Microsoft vulnerabilities and which ones have privileged escalation as a part of their documented CBE. Based on that, we find that if you remove admin rights, the exploit corresponding to that vulnerability doesn't work 88% of the time. That's huge. The question is, is why don't we remove admin rights everywhere? Well, some things just don't allow it. Sometimes things break and there's all sorts of problems in getting people down to least privilege. People think it's too much work. And the fact and the sheer matter of it is it's not, it's actually fairly easy to do if you know how to do it using a universal privilege management strategy.
In addition, 80% of breaches involve credentials. So we should make sure that we're not reusing credentials. They're not shared, they're randomized, they're complex. All the things that we know are best practices, but unfortunately we still make mistakes and still do so the statistics back up the problem of this explosion of privilege accounts being everywhere and every place and based on recent breaches over the last several years, the statistics also show that we have a problem now how are threat actors gaining privileges? This pretty much sums it up. Now there are a few more candidly, but this is really when you look in the news and you look online and you do the research, you see it's everything from the old school, guessing of passwords to password spraying and pass credential stuffing to the typical vulnerability and exploit combinations that you know what I didn't patch it.
Piece of exploit code ran and I was into the system. Maybe I didn't get privileges, but I got enough of a foothold in there to start performing some form louder or movement or surveillance to get to the crown jewels or even start a ransomware attack, modern attacks, including SIM jacking, or really at least escalating here in the United States. And these are things we all have to worry about because we don't have defensive mechanisms outside of putting a password on our SIM cards to protect from threat actors that are basically hijacking and cloning, the SIM cards to conduct their nefarious mission and then have basic unrestricted access to all of the applications on the device, on the mobile device. And you and I know we live on our mobile devices every single day. So if you think about how threat actors are gaining privileges or escalating privileges, these are the top ones.
And we see all the old school ones like shoulder surfing. We see reused ones, which unfortunately as humans we just do, but we know we shouldn't and we have to find a better way to secure them in concepts like passwordless technology and things like that really do help. And these are all just a part of the strategy to get there. So if we think about what traditional password management covers now, when I say traditional password management, this is the old school definition of privileged access management. That's putting passwords and vault. They really only help people working in that raised floor, those servers or people working on infrastructure or very sensitive applications. You put those sensitive passwords and vault, you rotate them on a regular basis. And that's really all you got. That's not good enough in modern times because we find from fishing attacks to ransomware, to automation, to NextGen devices, to even people having local admin rights, working from home, they are all attack vectors today.
They are all a part of the problem and we have to remove those admin rights and secure them in order to do better because the T chain for privileged escalation and a modern attack really starts with any type of insider or person compromised and unknowing getting privileges for lateral movement unless they have the data that's sensitive directly on their system to exfiltrate the data or cause a denial of service. So what we wanna do is look at the links between all of them, look at how an external threat gets privileged. Escalation, look how a remote worker gets those credentials to do something as an admin and place the proper tools and controls in place to monitor, manage, and block those attack vectors. That's the whole premise of universal privilege management get into those places where a threat actor would conduct commands or conduct lateral movement to find other systems to compromise or scrape passwords from memory.
Once you understand how the attacker's working, it's easy to place pieces in line to make sure it doesn't happen. This leads us to the top three user use privileged use cases. Look, we know we give too many privileges to employees, vendors insiders, etcetera. It's just easier to put someone in the admin group and let them do their job or let automation have admin rights and not think twice about it. That's wrong. We have to follow a least privileged model as a part of our identity governance stack and only give them the rights they need. And if they change positions in the organization, make sure that those privileges change accordingly. Because when we look at the statistics again, we find that when we give too many rights, people just abuse them or they're attacked and that gets abused. So when we give that much rights or we give excessive rights, we don't monitor them.
We don't manage them. And they become a prime attack vector for a threat actor to utilize against an organization. We also have the problems as credentials are shared and unmanaged, we basically whisper it. We write it down. We only have a system that can only have one admin. Those are all bad security practices, but in many cases we can't avoid them because that IOT device only allows one admin account. We have no other way of doing it. So how are we sharing them? Why aren't we managing them? Why aren't we office skating them, randomizing them, putting 'em in a vault, doing the things that we know we should be doing to protect against an attack because 34% of coworkers do share their passwords. That's just bad. It's an easy way for it to be leaked, scraped from memory or not changed. When people exit the organization, we have a real problem with that.
Every password for every asset should be unique and no two people should be using the same credentials or password on a system. And the third most popular use case is it assets communicating unchecked. This is really when you have one system not talking properly to another look, 70% of all attacks involve some form of lateral movement. That's huge, absolutely huge. As I've indicated from the attack chain in previous slides, when a threat actor is in, they're gonna find a way to move around the environment to find or get or build a better beachhead, just something they want need or desire. Well, if we're monitoring communications between assets, we can block it. We can have that evidence of compromise for us to allow them to do it so we can determine who's doing it or block it right away in a normal network environment, two machines next to each other should not be cross communicating.
As we have people working from home on corporate laptops, they should not be talking outside to the printer and the router, really any other computers in their home environment. They shouldn't. So we have to be able to monitor for UN lateral movement that's unchecked or to devices that should never be communicating together in the first place. So let's take a proper definition of privileged access management. Let's start at the high level of identity governance. Now this comes from the ID IDSA. This is a nonprofit organization that basically helps organizations define identity governance and has a framework that establishes how you start, how you finish, et cetera. And privileged access management is just one layer within it, just one layer. But what's important about that layer is it expands greatly into a lot of different disciplines. Everything from that password storage we spoke about earlier to session management, including the recording and transcriptions of what was typed in or what is seen on the screen to removal of admin rights on windows, Unix, Linux, and Mac, to even conducting remote access with the proper level of privileges.
Now to handle all of these concepts as a part of the privilege, access management definition, you need steps. You don't just say I'm gonna do session management. It doesn't work that way. There has to be a plan to solve all of these challenges with the proper tool set and use cases to get there. Now we look at this as a journey, the journey to universal privilege management, there are really 10 steps and this is where I was illustrating before that, if you want to dive into any of these deeper, please let us know. When you think about these 10 steps on this slide notice there's no one there's no 10. There's no starting place. There's no ending place. You pick your problem, set what your organization needs to solve first and foremost and attack that if it is that you have an audit that has been conducted where, you know, you have a high level of security risks at the end point, cuz too many people have admin rights locally or that secondary admin account.
You start at implementing lease privileges on the desktop. You use Pam under this model to remove admin rights, use the solutions that are available in the Pam space. And you actually will find out people work better when they don't have admin rights. Because every time it pops up to say type in a credential, that doesn't happen anymore. It just works. If your next step is necessarily to, okay, I gotta do application control, but I gotta do it better than the old school methods of just logging hashes. I need to use application reputation services to allow, allow listing and block listing and application grade listing. That's great. Then you go to that next step. If you're trying to solve challenges for remote workers, vendors, contractors, professional services that you've contracted out to employees working from home, you start with remote access, but the benefit of this journey is there are no dependencies in these 10 steps.
You pick the order and priority that you need to solve your privileged access management challenges implement that and then move to the next one. That's the 10 steps to universal privilege management going beyond traditional privileged access management, linking things together and doing a better job, solving the use cases that are most important to you. And this is how we present it from beyond trust. Now as a company, we are a market leader in the space. You can look at the latest report from copping or cold. We have the largest portfolio of Pam products compared to any other vendor in the market. And all of our products are integrated together to share use cases, to share credentials, notify each other. When something has happened to solve many of those attack, vector challenges, 20,000 companies worldwide and over 75 patents to our technology stack to help us prove we have unique value and unique products.
We do this with three pillars, privilege, password management, all the way on the left to solve password management challenges that traditional problem, putting passwords in a vault, rotating them, checking them in, checking them out. Endpoint privilege management for the removal of admin rights on windows, Mac, Unix, Linux, and then secure remote access. The ability for help desk personnel to help users wherever they are and to do privilege remote access for those vendors and contractors all operate standalone or integrated into the beyond insight platform. Now I wanna also briefly talk to you about why we do things better together with our partners and specifically sale point today because the challenge promotes CSOs is yes, I can grant access to an individual or I can do admin rights on one side, but I have no way of saying, is it appropriate or inappropriate? They have access to this.
What did they actually do? And then reconcile the two to prove that it was appropriate. When you consider those use cases, you have to first find out where all your privileged accounts are, place them under identity governance management, establish the I proper roles and personas for them so that the privileged users can actually operate throughout the organization and then monitor back, get that visibility to make sure that their work was appropriate. You can do all of this in a fully automated fashion with the proper business roles and technology roles where you put someone in a group for, let's say, managing a server or for managing social media. And then when they're in there, they get the privileges needed to actually do that job. And then you're able to report on both at the same time that reduces risk reduces overhead. And when you go for that compliance reporting or that privacy reporting to say, did they do the right thing?
Yep. They were in the right group and this is what they actually did. And unfortunately you'll also find out when people don't do the right thing. My name is Maureen Haber. I really want to thank you for your time today. I've been working in the industry for well over 20 years, you can find me online through a variety of periodicals. My books are also listed here covering exactly what we just spoke about, including the identity attack vector book, which it was co-authored with sale point on how to build an effective identity governance program within your organization and my contact info. If there are any questions with that, I'll turn it back to the moderator and see if you have any thoughts or questions for me before we depart. Thank.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00