“I’m getting totally lost” David confided over a spinach Jamba Juice in the break room. “Cyberthreats are the buzz in the press and in the C-level washroom. So guess what, it’s now become my priority and frankly, I’m overwhelmed with it all — the complexity, the risk to the business, all the ‘solutions’ promising to solve it but that seem to be all over the map. Arrgggggg!”
Theresa could see the panic in David’s eyes. Definitely bridge jumping material. Need to talk him off the ledge.
“OK, David. Think happy thoughts. Think happy IT, nice and safe and secure.” He visibly calmed. “Look, every security vendor we’ve spoken to leaves me glassy-eyed as well. They’re too busy pitching their products and features and trying to think of clever ways to differentiate themselves — it just comes over as hugely complex and very, very confusing.”
“Bingo! I’m trying to wade through all this and make sense of it. My CIO is expecting a strategy on how to reduce our risks of being breached by cyberattacks since our prior focus on securing the network and putting APT detection software in place is just not enough. I just can’t get my arms around it all.”
“OK. Let me demystify it for you.”
Theresa took out a sheet of paper and started drawing.
“Cyberattacks are focused on breaching our defenses and getting hold of our sensitive data…stuff they can monetize.”
“The way they achieve this is multi-faceted, but look at recent major reports — Verizon, Mandiant — they’re compromising BOTH individual user accounts AND privileged accounts. Often, they quickly and easily compromise the former and use it to hunt for the latter. In fact, by compromising an end user account, they’re able to pass through your VPNs and firewalls without setting off alarms because they’re coming in as a ‘legitimate’ user. Remember that big 2013 breach? They got in by compromising the credentials of a 3rd-party HVAC service provider.”
“It’s no longer about the traditional network-oriented perimeter defenses since that perimeter is dissolving with the cloud, SaaS, IaaS, BYOD, outsourced services. IDENTITY is the new perimeter, so we need solutions that orbit around securing identities — identities associated with both individual user and privileged accounts. THAT’S where we should be spending our time and money.”
David internalized for a moment. “So whether the attacks are malicious insiders or APTs trying to worm their way through our network and servers to get to the crown jewels, a key objective for them to succeed is compromising accounts. Sooo…disrupting their attack chain at the identity level is a new approach we should be investing in?”
“Correct. But therein lies the challenge. Some vendors have a single hammer, and so they try to solve this one way. For example, keep the privileged accounts around, put the passwords in a vault, and control admins’ access to them. That’s not good enough. If those accounts are not disabled, APTs will compromise them. Period.”
“We need a vendor who specializes in disabling privileged accounts so admins login as themselves, and elevate privileges only for specific activities/commands, then they’re back down to least-privilege again. 95% of the time. It’s all about reducing the attack surface.”
“Frankly, vaulting passwords satisfies only a small minority of situations where there’s no choice but to login as root or administrator (such as installing software, emergency “break glass” situations, legacy applications). So it definitely has its place but on its own it really doesn’t appreciably shrink that attack surface!”
“Well that makes sense. If you explicitly remove privileged logins from the equation, you naturally improve your risk posture. For the exceptions where you can’t, make sure those passwords are locked away and there’s a tool to govern their use.”
“In a nutshell. Challenge is, where to find such a beast. We can cut through the rubbish here too. You need a vendor with a solution for both — managing individual user accounts as well as privileged accounts.”
David piped in, “Well there’s certainly no shortage of vendors out there.”
“True, but narrow it down. Be bold about what’s ideal for us:
- A vendor who has organically developed these solutions in-house. Not a Frankenstein patched together with OEM’d or acquired technologies that will challenge us from support, maintenance, upgrade, and operational perspectives. A single throat to choke who knows it all intimately.
- A vendor with a solid platform that supports our hybrid mentality — on-premises, cloud, and mobile. Those products should be built on a single platform — ideally cloud — so they reuse common capabilities and can quickly deliver us new capabilities, new products, and rapidly resolve issues.
“So David – 3 takeaways for you:
- Identity is the new perimeter — focus on securing both individual & privileged accounts!
- Pick a single vendor with a unified solution for both individual and privileged users since cyberattackers hit both.
- Pick a vendor with a strong common identity platform who is reacting to modern hybrid scenarios — on-prem, cloud, and mobile and cloud-based — so we’re future-proofed.
Oh, and make sure they have a stellar satisfaction rating and a load of big, credible customers.”
And lo, the light appeared at the end of the proverbial tunnel…
Find out more about Centrify Server Suite and Centrify Privilege Service. Why not take them for a test drive and experience the modern approach to privileged identity management for yourself with a free trial here and here.