How many privileged sessions are active in your environment right now? Are you monitoring and managing all of them effectively? Many organizations attempt to use existing security tools that aren’t all that effective at detecting and blocking potentially malicious privileged activity.
User and system activity is constantly logged by a variety of tools. In many environments, this information is aggregated in a security information and event management (SIEM) platform, which correlates and analyzes the data to automatically detect unusual activity and issue an alert. A centralized management interface makes it easier for security personnel to investigate alerts in the context of all the log and event data collected across the environment.
When a user with legitimate privileged credentials logs into a system and performs an action, the activity will be tracked and pulled into the SIEM. If that action is suspicious, the SIEM system might issue an alert. But how do you define suspicious activity so you’re not bombarded with alerts from the SIEM system? How do you effectively shut down malicious privileged activity without impacting legitimate users?
Some behavior is obviously abnormal. If an administrator in Chicago suddenly logs in from China at 2 a.m., you can be pretty confident you have a problem. If the administrator attempts to log in using a device that doesn’t meet the minimum requirements specified in your security policy, the SIEM should issue an alert.
But what about privilege escalation? Though it’s not a best practice, IT administrators commonly give users escalated privileges when they are unable to access the systems and resources they need. The administrator logs in, changes the user’s account, and logs out of the system. This activity is recorded by the system and fed into the SIEM. Should an alert be issued?
Possibly, given that privilege escalation could point to compromised credentials or a malicious insider. But should IT security teams get an alert every time privilege escalation activity occurs? How quickly would a security analyst be able to determine if a potential threat exists and shut down the session?
SIEM systems are valuable, but they’re not the best tool for privileged session monitoring and management. Specialized privileged session management solutions monitor and record all privileged access to IT resources down to the keystroke level, giving security analysts greater visibility and making it easier to enforce IT policies. Best-in-class privileged session management solutions also incorporate user and entity behavior analytics to help security personnel respond more quickly to potential threats.
CyberArk’s Privileged Session Manager provides real-time monitoring and recording of privileged sessions and risk-based session review. Critical systems are isolated from endpoints to help prevent an attacker from moving laterally through the environment and to limit the spread of malware. Privileged Session Manager also supports integration with other security platforms.
Clango’s CyberArk Certified Delivery Engineers can help you implement Privileged Session Manager and configure it according to your business and IT requirements. The Clango Innovation Labs team can develop custom integrations that incorporate Privileged Session Manager into your security environment and workflows. We can help ensure you have the right tools and strategy to monitor and manage privileged sessions.
For more information about PSM, please send us an email at (firstname.lastname@example.org).