Privileged User Monitoring
Privileged users — typically DBAs, network engineers, security practitioners, cloud custodians — require unrestricted access to servers, networks, devices, applications, or databases to perform their jobs. With that access, privileged users can:
- Make changes to servers, networks, application, corporate devices (including laptops, USB devices, and external hard drives), applications, and databases.
- Manage user profiles and privileges.
- View confidential or sensitive data — including intellectual property, code, legal data, and employee and customer personal information — residing in the databases they maintain.
- Modify or delete data.
- Respond to security alerts by viewing, modifying, or deleting audit logs.
However, their activities are often performed without visibility outside the asset on which they are working. What happens if they intentionally or accidentally endanger the confidentiality, integrity, or availability of an organization’s data? Without effective monitoring, privileged users can cause significant damage without ever being detected.
Dangers of Privileged User Accounts
The global footprint of IT assets (including cloud, virtualization, and big data), has created a need for more privileged user roles to manage the assets. As a result, unrestricted user privileges are often broadly assigned to roles and individuals to simplify the user management process and ensure they can do their job without triggering security alerts or being blocked from necessary assets.
Paradoxically, there are dangers associated with privileged user accounts, including:
Sharing account credentials. Some organizations assign a privileged user account to a role, rather than a specific user. Doing so reduces the ability to track personal accountability in the event of an intentional or accidental change to data or an asset.
Industry and compliance standard breaches. A privileged user could intentionally or accidentally violate availability, integrity, and confidentiality (AIC) standards, as follows:
- Availability issue. Privileged users can misconfigure a component, thereby blocking access to a website or other resource. They could also change passwords, thus locking out authorized users.
- Integrity issue. Privileged users can modify or delete data, including the audit logs that identify intentional or accidental changes to data.
- Confidentiality issue. Privileged users can access personal identifying information (PII) or other confidential data, even though that access is not needed to perform their job.
High value of privileged user account. Privileged users are often targeted by Advanced Persistent Threat (APT) attacks. The goal is to dupe the privileged user into either revealing credentials or downloading malware. This gives the attacker a foothold into the network.
Malicious intent. Privileged users can deliberately endanger the organization’s data for personal gain, espionage, or other malicious purposes. They may act as a ‘lone wolf’ or partner with a hacking group or business competitor. Examples of malicious intent include:
- Injecting a logic bomb, Trojan horse, backdoor, or malware into the organization’s system.
- Deploying a virus or malware to customer systems.
- Harvesting confidential or proprietary data.
Monitoring Privileged Users
Privileged user monitoring poses significant technical and operational challenges, since privileged users require unrestricted access to perform their jobs. Moreover, technological strategies need to go beyond native database auditing or Security Information Event Management (SIEM), since those tools provide massive amounts of information but little context with which to make sense of alerts.
Instead, a robust technological strategy enables an organization to:
Track Privileged Access to Sensitive Data: Monitor all privileged user access to files and databases (including local system access), audit user creation and newly granted privileges, and restrict usage of shared-privileged accounts.
Block or Alert on Suspect Activity: Identify user behavior that deviates from normal access patterns, and alert and block suspicious activities that may indicate privilege abuse. Users performing unauthorized activities should be quarantined and their privileges should be reviewed. Audit reports and analytical tools are needed to support forensic investigations.
Identify Unauthorized Privileges Changes: Verify that changes to data objects and data systems are properly authorized. Unauthorized activities should be thoroughly investigated and controls should be implemented to prevent future incidents.
Separation of Duties: Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities.
Eliminate Excessive and Unused Rights: Identify highly privileged users, verify that the privileges are necessary for the user’s role and duties, revoke excessive user rights, and remove dormant users.
Learn how Imperva solutions can help you monitor privileged users.