Combat insider data breaches with privileged access management

PAM to the rescue!

The high risk of cybercrime for financial institutions means that they are generally quick to adopt new technologies which may alleviate the risk of a breach. However, banking institutions can often be held back by legacy infrastructure and applications, due to the sheer scale of their IT operations, which can prove costly to upgrade.

It’s no secret that banks store huge amounts of sensitive data, which offer lucrative financial reward for a cyber criminal. Financial organisations also need to comply with strict industry and government regulations, which require them to examine and record all access to sensitive information. This is why banks need to prioritise the protection of their clients’ identities and their own privileged users’ accounts, as these are top priority targets for criminals.

This is where the large, distributed nature of financial services infrastructure can present a problem. These kinds of IT systems are often managed by hundreds of system administrators and having enough employees focused on security at any one time can prove difficult.

Whilst password based access can help to limit access, it’s relatively simple for a hacker to infiltrate financial IT system accounts by using social engineering tactics. Another problem is the malicious insider and even employees who have decided to go rogue. Security teams in banking institutions must look for more advanced security solutions which meet their complex needs and allow them to shift their focus to insider threats, whilst also monitoring user activities in real-time. This way they will be able to continuously audit who is doing what in their IT systems.

Effective incident response

After an incident, answering the question of “who did what” is absolutely crucial, but it’s often the hardest aspect of incident response. Organisations want to determine what happened as quickly as possible, in order to meet government and compliance regulations. This often means that security teams end up analysing thousands of logs during a breach investigation, when time and resources could be better spent elsewhere. And when and incident involves misused privileged account access, this can further complicate matters.

The fact is, privileged insiders and attackers with access to credentials can cover their tracks by modifying or deleting log files. This makes it even more difficult to determine the roots of the attack. This has led to a rise in popularity of this particular attack method.

What can banks do to manage privileged access incidents?

The first thing for banks to consider is their access policy. There must be a proper access policy in place, which should be based on the least privilege rule. Potential insider threats should also be easily identifiable at the earliest stages.

Luckily, there are tools which can help speed up the incident response process. By deploying a privileged access management (PAM) solution, security teams can gain centralised authentication and access-control points in the IT environment. This provides access control, session recording and auditing to prevent security breaches and speed up forensics investigations.

Additional security that doesn’t burden users with further limitations can be attained by implementing an agentless, transparent proxy technology. The data collected from the monitoring solution can be used to build up a profile for each privileged user to determine their standard behaviour. Privileged account analytics can then be used to spot irregularities in real-time, which are then brought to the attention of the security teams, who are equipped to deal with a breach as it occurs.

Easing the limitations of SIEMs with PAM tools

Security information and event management (SIEM) systems have become integral to enterprise security management. These systems process and correlate the alerts coming from various security systems. However, there are limitations with SIEM tools. They rely on being fed only by system log messages, and they lack the contextual information on privileged user activity.

Privileged accounts are now the main target for criminals, financial organisations need to move towards collecting inclusive data on the activities happening on privileged accounts in order to perfect the incident response process.

Another problem that arises with SIEM tools is that they only look for threats that have already been identified and fall under their pre-programmed rules. This means that if an attacker were to use an unknown method of attack, the SIEM would fail to detect it, as it would be unaware that it even existed.

Analysts can often be so overwhelmed with the security alerts generated by SIEMs that it can prove impossible to work out which alerts are the most pressing. Even if they create a shortlist of alerts, they have a small window of time to investigate and ascertain if a red-flag alert is a false positive or if it represents an actual incident which is taking place.

In the wake of a breach, PAM tools can help to promote incident management competence by adding information sources which are able to detect and analyse privileged user based attacks. Swift investigations and making rapid, well-informed decisions can prove challenging for organisations and require data in real-time to make clear the context of a suspicious event.

An access management tool can provide risk-based scoring of alerts, rapid search and clear and concise evidence. Increasingly sophisticated cyberattacks have become the new normal for banks and financial institutions, along with introduction of more strict compliance regulations, banks must ensure that they have the best processes in place to recover from incidents quickly. This is made much more difficult with the absence of relevant and reliable data recordings of individual user sessions and can become more expensive and in some cases, inconclusive.

By implementing advanced PAM solutions, organisations can collect and analyse information about privileged access accounts and their activity. By having the ability to easily reconstruct and analyse user sessions, the costs and time taken for an investigation is greatly reduced.

These tools also provide risk-based alerting as well as searchable, easy to interpret records about user activities. This way, analysts can quickly find the root cause of a problem. A PAM tool provides a fast return on investment (ROI) in the challenge of incidents related to privileged accounts. They can be easily and seamlessly integrated into security operations centre (SOC) environments, making security operations much more successful.

By Csaba Krasznay, security evangelist, Balabit