Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.



Insider Risk Insights - DTEX Blog

Privileged User Monitoring: A Critical Piece of Insider Threat Prevention

They say that trust is a critical part of any healthy relationship. But when you hear so many tales of betrayal, abuse of power, and deceit, it can be hard to put those philosophies into practice. No, we’re not talking about your girlfriend, your husband, or even your kids: we’re talking about your privileged users. You know, those critical users who are both the key to your IT success and, potentially, the Achilles’ heel of your security system. Privileged users, or “super users,” have greater access to your company data and can make changes to company systems. A few examples include:

  • System administrators
  • Database administrators
  • IT security or audit practitioners
  • Application Developers
  • Network engineers

Privileged users need their extended access to get their jobs done, and most of the time, this isn’t an issue. Lately, however, the news has been full of security horror stories — tales of privileged users using their access to steal or compromise sensitive data. How do you balance these users’ need for visibility and access with your desire to keep your institution as secure as possible?

First of All, Realize that Lock Down isn’t the Answer

They may be a risk, but privileged super users are still amongst the most valuable in your organization. Some organizations unsuccessfully attempt to control their risk by reducing the number of privileges open to super users, or trying to reduce the total number of super users. On the surface, the idea makes sense, but this has been proven to be unsuccessful for a number of reasons:

Figuring out permissions each user needs to do their job is a highly complex analytical problem.Despite best efforts, organizations don’t always have a reliable way to tell if they’ve missed individuals or machines that have privileged access.The typical process of gathering data about super users takes months (and sometimes years in large organizations) of survey-based assessment, but still leads to an inaccurate result.

The Solution: Privileged User Monitoring

In many cases, a privileged users real power isn’t even their system access; it’s their experience and knowledge. Most privileged users will be able to access crucial company information regardless of what systematic lock-down measures an organization may attempt to put in place. For security professionals, this becomes a major problem. How are you supposed to protect yourself against someone who can bypass your restrictions easily, and will likely even need to in order to do their job?

The answer might be something a bit more subtle than restriction. You know you can’t use force to keep your privileged users from sensitive data — so, try using the ever-effective trust but verify method. This can come in the form of a flexible, automated auditing and continuous monitoring process that oversees and scrutinizes the behaviors of privileged users. By having a protective continuous monitoring system in place that will immediately alert you to any dramatic changes in a privileged users behavior, you’ll be reliably informed when someone has compromised the network or is potentially stealing information. That way, you’ll have time to act quickly before any serious damage is done.

Managing Your Privileged User Group

A big bonus of this method is that it allows you to strengthen your security system during the times that its most important: when you’re not in the midst of an active attack. When it comes to privileged users, one of the best ways to do this is to use your newfound visibility to actively manage your super user group. In particular, a critical part of keeping your privileges from being abused is making sure that you only give them to users that really need them. Many times, organizations unintentionally grant privileged user access to employees that shouldn’t have it. For example, lots of companies still follow the practice of granting employees access to the local computers Administrator group or cloning an existing users permissions in an attempt to streamline operations. Most of these employees probably have no ill intent, but it only takes one malicious or careless user to cause a massive breach with those misplaced privileges. Plus, the more users you give privileged access, the more vulnerable you’re making your network if you do come face-to-face with an external cyberattack.

The problem is, it’s easy for large organizations to lose track of who does and doesn’t have administrator privileges along with who’s using them and who isn’t. Using your continuous monitoring data, you’ll get instant visibility into which employees actually need privileges. You will always need at least a few privileged users with maximum access, but chances are, you have a few users in your administrator group who really only use one or two privileges that come with that title. By monitoring your privileged users, you can see who’s actually using which privileges, and where you can customize them to cut down on risk.

Privileged User Monitoring and Ongoing Management

Continuous monitoring may seem like an overly simple solution, but it’s the only option that is both effective and can be reliably enforced and this isn’t an area that your security program can afford to ignore. One particularly useful aspect of using this method is that it’s a constant feedback loop for improvement. This level of visibility will allow you to be aware of where your security program is and isn’t working. You’ll know exactly where the cracks are, and exactly where you need to improve. The leaking of privileged information can do serious and often irreparable damage to a company’s market advantage, its reputation, and ultimately, its bottom line. Your super users are completely necessary, but it only takes one malicious or careless employee to make them a super threat. The real key to preventing privileged user abuse is to be able to determine the context and intent of an individual. By enacting a privileged user monitoring program, you can keep an eye on individual risk without hindering the productivity of an entire group.

Wondering how your specific organization would use continuous monitoring to manage the privileged user threat? Drop us a line and we can help!