Any clever thief is happy to report that banks are good places to rob because that's where the money is. For the same reason, any clever hacker will be happy to report that accounts are good places to target because that's where the access is controlled. It should come as no surprise then, that privileged accounts are attractive to an attacker, simply because they unlock the valuable resources of an enterprise. For this reason, security teams have come to recognize that one of the most powerful protection strategies against modern cyber attacks involves locking down accounts with privileged access.
This is easier said than done, for many reasons, including the often-vast number of accounts found in an enterprise. Nevertheless, the task is essential, especially when one considers that with de-perimeterization, the account becomes a front-line defense for organizations. CISOs have thus come to recognize that accounts must be locked down using the best available technology. To that end, I had the privilege (ahem) to spend time chatting with Udi Mokady, CEO of CyberArk. He was kind enough to share his insights in this important area:
EA: Udi, let's start with something basic, but perhaps not widely understood. Can you help us understand the difference between privileged and non-privileged accounts?
UM: Privileged accounts are everywhere. They are in every networked device, database, application, server, and social media account; they are on-premise, in the cloud, and in industrial control system (ICS) infrastructure. This explains why privileged accounts are often referred to as the keys to the IT kingdom. They provide administrative access to business-critical applications, systems, and networks in an organization. They trace their lineage back to early root accesses made available to system administrators of operating systems. Privileged accounts are foundational to administering IT and running any business both on-premise and in the cloud. The IT security community has thus come to recognize that privileged accounts are the preferred means by which both compromised insiders and external attackers gain power, and are able to assert control over a network. Regardless of where any malicious actors start, they need privileged credentials to move throughout the network. Both internal and external attackers look the same once they have compromised privileged credentials. For this reason, the consequences of privileged account exploitation can be severe, which is why protecting them must be a priority.
EA: Is it easy for a typical business to take inventory of their privileged accounts?
UM: The first step for an effective cyber risk management program is to quickly identify privileged accounts wherever they may exist across the enterprise. This can be a challenge for some organizations due to the sheer volume of privileged accounts that can exist across the enterprise. For example, privileged accounts can be found for users, SSH keys, service managers, devices, applications, and so on. The CyberArk Discovery and Audit (DNA) tool is one way that organizations can more easily identify these accounts and quantify security risk within their enterprise network. By better understanding the size and magnitude of their privileged account security risk, organizations can more effectively build a business case for a privileged account security program.
EA: What techniques do you use at CyberArk to protect these highly-privileged accounts?
UM: Most organizations also don't fully understand that privileged accounts are used in virtually every attack, so deploying privileged account security needs to be one of the first steps an organization takes to secure its systems. Securing privileged accounts is also the first action a victim group will typically take following a breach. We provide organizations with an easy-to-use methodology, which we refer to as the "30 Day Sprint," to prioritize the implementation of controls for protecting privileged credentials. Once organizations have identified where privileged accounts exist in their enterprise, they must prioritize and give precedence to the riskiest accounts. This means implementing controls on the most powerful accounts first, such as domain administrator accounts and administrator accounts with access to large numbers of machines, as well as application accounts that use domain administrator privileges. We advise customers to be realistic about addressing the volume of accounts; that is, they don't have to boil the ocean to achieve quick wins and demonstrate tangible results. Organizations should instead work quickly to get initial controls in place and make improvements over time. For example, accounts for workstation users should not have administrative privileges, but breach survivors say this is one of the more difficult practices to implement and maintain due to the sheer volume of workstations.
EA: How does a digital vault work? Does it create a single point of attack for the bad actors?
UM: CyberArk was founded to help organizations build a security strategy from the inside, focusing on locking down the keys to the IT kingdom. This is how the concept of digital vaults and privileged account security was created. At the core of the CyberArk Privileged Account Security Solution is the CyberArk Digital Vault, which contains a highly secure repository, behind multiple layers of security, which stores privileged account credentials, access control policies, credential management policies, and audit information. CyberArk is first and foremost a security company, and we create our products with a "security first" mindset. The Digital Vault software is intentionally designed to minimize the attack surface and maximize the security of privilege account information. In addition to internal vetting and testing, CyberArk also submits its products to external organizations for independent testing and security validation. Through this process, the CyberArk Privileged Account Security Solution has achieved ISO 9001, Common Criteria, and United States Department of Defense UC APL certifications.
EA: Do you see privileged account security protections becoming more uniformly applied across different systems and applications?
UM: Today, many organizations still underestimate the scope of the attack surface that privileged accounts create. It's not unusual for larger organizations to have hundreds of thousands of privileged accounts. That attack surface is expanding exponentially as organizations migrate to the cloud and invest in new DevOps and endpoint technologies. While our business was initially driven by organizations in highly regulated industries, with greater recognition of the risks posed by privileged accounts, privileged account security has evolved from an audit and compliance solution, to become a critical layer of IT security that is essential to every organization's risk management strategy. We view the privileged account security market as a green field opportunity, because virtually every organization runs on technology, which requires protecting the privileged accounts that control that technology. If they lose control of their technology, they effectively lose control of their business.