Privileged Account Management – Another AH-HA in Cyber Security

My son is 14 months old now, and I watch as the previous stream of unintelligible adult super-babble is now starting to slowly make sense to his sensitive little ears. I can see the delight on his little face with the exponential rate of little 'Ah-ha!' moments of shared mutual understandings, and it makes me wonder about how and when many of us as adults lose that excitement of learning, adapting and using new comprehensions in the environment around us.

This made me think about a variety of life experiences and naturally I thought about my own InfoSec career and where I have made similar Ah-ha moments. For example, I recall trying to convince a Product Manager around Y2K that anti-virus and anti-spyware products were converging (just shortly before they actually did). At that time, what seemed like an "ah ha!" to me, wasn't an "ah ha!" to the Product Manager in question who didn't quite see the market trend going that way. Whoops? The Internet Security suite and Endpoint Security product landed and remains today. Was I alone with that "ah ha"? Of course not, anyone with more than a one-dimension brain could see that coming, and that is where the market did go.

And over the years, I continued to represent the need (and still do) for solid anti-malware controls. However, last year I had a bit of an Ah-ha moment…

I'd been working on a variety of projects and customer engagements around aforementioned malware, when I was reminded of a simple philosophy around information security. Prevention is better than cure.

Locking down and managing privilege is an effective treatment against malware that relies on privileges to execute - whether it is payload, lateral movement on a network, or any variety of nefarious activity.

My journey took me to ISO27001 and the Australian Government ISM and the ASD's own assertion that:

At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package. Read more about the ASD Top 35.

I strongly believe that the Top 4 mitigation strategies don't just simply apply to Australian organizations, it should be a global realization, a worldwide "ah ha!" for those still not quite understanding the importance here. Here's a refresher (or intro) on the Top 4 mitigation strategies:

1.) Application allow listing - only authorized applications should be able to run on a system.
2.) Patch applications - If you want to reduce your threat window, you need to patch your apps.
3.) Patch Operating Systems - If you want to reduce your threat window, you need to patch your platforms.
4.) Restrict administrative privileges - If you want to reduce your threat window, you need to restrict and manage the admin rights to operating systems and apps.

Clearly, this is not a silver bullet. There will always be residual risk. However, as far as due diligence goes, there's a difference behind doing the above intelligently, and simply ticking a checkbox.

This is the new "Ah-ha". Intelligent privilege relies on finding integration points between all those 4 things above.

Consider this - most of us understand quite well that vulnerability management and patch remediation is going to address mitigation strategy 2 and 3 above. We'd be aware that a CRITICAL vulnerability affecting a system that has very restricted administrative accounts and no exploits in the wild is contextually not as important to prioritize as a medium or a high vulnerability effecting another system that has multiple admin accounts and several exploits in the wild. This is intelligent vulnerability management and something all vulnerability management systems should be able to do now. Yet, this is not the Ah-ha I'm talking about.

What if, dynamically we could update our application allow listing/block listing based on new threat intel? For example, you might allow iTunes to run in your network... (just bear with me there) however the moment a critical vulnerability hits that app, maybe you want your application controls to be automatically updated to change the risk response appropriate to policy and your organization?

However, this is more than just the dynamic connection between application allow listing and vulnerability data - this is going back to basics and realizing that if we have critical applications / systems, then they should be accessed on a need-to-know basis (least privilege) and they should be managed in the most secure manner without effecting productivity.

Therein lies the challenge - how do you introduce a least privilege model to a teams of administrators, often a group of technical folk who are very comfortable with the way they operate and are very resistant to change? Well, no one wants another Microsoft UAC, I rate that as the #1 reason why Vista bombed in the market (although there were many reasons). And it set back the industry a decade, because no CIO or CISO wanted to introduce the most intuitive strategy available - least privilege - especially when it had the chance to be such a productivity nightmare.

The market is now ripe for intelligent privilege access management. Enclave systems allow administrators access to only the systems they need to use. Those staff can use the tools they use today - no change, no java. In combination with least privilege controls that address the heterogeneous marketplace with organization’s various windows, Linux and UNIX infrastructure, and in combination with dynamically useful Threat Intelligence - you not only check the Top 4 mitigation strategy boxes... you do something far more greater than that. You actually introduce effective and intelligent security.

When the industry starts to comes together (industry analysts, supplier and customer) to agree on the need for intelligent privilege access controls - you know you are at the cusp of the next required evolution of Information Security.

Author: Nigel Hedges | CISA, CISM, CISSP, CGEIT, CCSK ITIL-F, COBIT-F, MBA ISO27001 LI & LA