Privileged Session Monitoring: If You See Something, DO Something

To terminate or not to terminate, that is the question…

This is the issue facing many security managers who use session monitoring to overlook administrative sessions in process. Many session management solutions allow you to terminate a live session if you see something suspicious. But the problem is that termination is destructive. While an RDP session may sometimes be reconnected, an SSH session is killed —that means that any processes or scripts that were running are no more. Perhaps this is a good thing— but what if you made a mistake? You now have potentially corrupted systems that were being updated by a totally legit script. The main reason that many admins choose NOT to terminate is fear of killing the wrong session.

So wouldn’t it be nice if there were a way to safely disconnect a user from their administrative session without breaking anything?

BeyondTrust’s PowerBroker Password Safe has the unique capability to safely LOCK an administrator out without destruction; in fact it is currently the only product on the market with this capability. It does this by preventing the admin from interacting with their active session. A customizable message can be displayed to the admin, informing them that the session is locked - you might even add text to suggest the user calls a number for assistance. In this manner, there is no risk to blocking suspicious activity. If the activity is deemed to be correct, the security manager simply selects an unlock option to allow the user to resume their session. Of course, there is also the option to terminate the active session, as well as terminate any active session the user may have started.

So now there is NO excuse… If you SEE something DO something!

PowerBroker Password Safe provides secure session management, with the ability to proxy access to RDP, SSH and Windows, Unix & Linux Applications. Dynamic assignment of just-in-time privileges, via Adaptive Workflow Control, allow organizations to lock down access to resources based upon the day, date, time, and location. By limiting the scope to specific runtime parameters, it narrows down the window of opportunity where someone might be exploiting misappropriated credentials. For example, if you normally expect the administrator (or third-party vendor) to be logging on from particular systems, you can ensure that access is only permitted from predefined allowable address ranges. Similarly, you can set up policies to control when the accounts are accessible, and alert when specific access policies are invoked. On top of its granular access controls, PowerBroker Password Safe ensures managed accounts have their passwords regularly rotated – every time a password is released, it can be a one-time password for security. Passwords can be regularly changed using strong and complex policies to ensure that any credential breach, whether directly by the user or indirectly via malware, has a limited window of exploitation. Several additional capabilities in the product help to mitigate the risks of administrative/third-party access:

• Adaptive Workflow Control can route workflow to different groups according to runtime parameters.
• Password Safe’s Application Proxy can automatically log users onto resources using managed credentials with zero exposure. Passwords may also be securely passed to any Windows, Unix, or Linux application.
• All user activity may be recorded for later playback, and as mentioned above, real-time monitoring capabilities allow sessions to be monitored with options to remotely terminate or pause (lock) active sessions.

To learn more about about session management in PowerBroker Password Safe, request a free trial.