Privileged users are to blame for system compromises in a growing number of cases. One high-profile example is whistleblower Edward Snowden, the former systems engineer and administrator at the US National Security Agency (NSA), whose position enabled him to orchestrate one of the biggest information leaks of all time.

Another casualty of this type of incident is the infamous Target, which was breached when hackers gained network access via a third party.

Zoltan Gyorko

Many security incidents start on the inside of a business, as a result of privileged 'misuse'. This could stem from not only the activities of malicious insiders, but also from external hackers who are targeting  the privileged user in order to gain access to sensitive data through their user name and password  - in many cases the root password. For external hackers, it is far more rewarding to gain access to the credentials of these 'super' users, be it a CEO or system administrator.

In this way, there is a growing threat posed by individuals who have access to confidential information of a highly sensitive nature.

The statistics are concerning: according to the latest Verizon DBIR, 88% of insider misuse incidents occur due to privileged abuse.

It's therefore integral that firms protect themselves against the risks, effectively finding a way to "watch the watchers". So what happens when an incident stems from the person who is supposed to be watching the network for attack?

What's really going on

When an incident occurs, enterprises want to know the real story. This is not always easy: it involves analysing thousands of text-based logs, often requiring the help of external experts.

Adding to complexity, several administrators typically access the same privileged account, and share the same password - so it's often very difficult to determine who is responsible when an incident occurs.

Managing this requires an overhaul in the way in which security is handled. Existing solutions such as log management, firewalls and SIEM tend to focus on attaining compliance and monitoring the environment at specific points in time. However, these leave a blind spot that allows users to compromise security from inside.

System administrators and other 'super users' have very high or even unrestricted access rights on operating systems, databases and application layers. By abusing their privileges on servers, administrators can directly access and manipulate the company’s sensitive information, such as financial or CRM data, personnel records or credit card numbers.

Overcoming complexity

It is user behaviour, rather than additional layers of security, that is key to finding this type of incident. Information on user habits, such as the time of day accounts are accessed - or looking for deviations in the user’s usual routine to find anomalous behaviour - can point towards potential foul play. 

Human users have characteristic behavioural patterns: they use the same applications, do the same operation cycles while working, access similar data, and even type in a certain way. These interactions with IT systems leave a recognisable fingerprint which can be detected and learnt. These profiles can be compared in real-time with the activities of users to detect anomalies - for example if the user only accesses office applications, and then suddenly starts to use the command line to probe the network, it might be a signal that their account has been hijacked by a hacker. Additionally, if a salesperson would only typically log in to SalesForce, new activity on the development server would be unusual and could point to a problem. 

New approaches to security are now enabling firms to analyse all user activity, including malicious events, throughout IT systems.  This allows enterprises to track and visualise user activity in real-time to get a better understanding of what is really happening on the network. 

The ability to easily reconstruct this activity allows firms to shorten investigation time and avoid unexpected costs. With an increasing number of security incidents perpetrated by privileged users or with their stolen credentials such as username and password, it is time for a different approach. Monitoring user behaviour, rather than putting in additional layers of control, is the key to identifying incidents and ultimately halting breaches as soon as they occur.

Visit Balabit website or @Balabit.