Introducing the Privilege Sprawl Index
by Raj Dodhiawala, on Jan 05, 2022
Modeling Privilege Access Sprawl for Zero Trust Security
A privilege sprawl occurs when privileges, or special rights to a system, have been granted to too many people. It’s a best-case scenario for cyberattackers. When privilege sprawl gets out of hand, an organization’s attack surface grows and becomes a pain point for its security teams.
Why Does Privilege Sprawl Occur?
Privileged Access Sprawl often grows in the dark, while we’re working on other priorities. It occurs because we have:
- A fear of breaking something if we fix Privilege Access Sprawl
- A need to elevate access to enable quick, timely fixes when issues arise
- Indifference, and we don’t know or understand all the systems where privileged access accounts exist
- Inefficient processes, and it’s easier to leave the access active rather than recreate it later
- A dislike for policy and procedure, and this results in the circumvention of access controls
An organization’s Privilege Access Sprawl can grow quite large. We visited one organization with 250,000 employees, and a SecureONE demo identified over 5 million instances of standing privilege! Another organization, this one with just 3,000 employees, had over 175,000 instances.
Privilege Access Sprawl is not just a large-company problem!
How Can We Measure Privilege Sprawl?
Remediant has developed the Privilege Sprawl Index, which measures the effect of persistent privileged access to systems and across systems in your organization and how this access exposes you to lateral movement attacks.
When we calculate the Privilege Sprawl Index to measure privilege sprawl on a network, we consider several factors, including:
- Whether the critical system has admin accounts
- Whether these admin accounts are common to other systems on the network that may be compromised first
- The commonality of admin accounts across systems that enable an attacker to discover other admin accounts and move laterally to eventually reach your critical systems.
Using these factors and the equations presented in the Privilege Sprawl brief, we can calculate our Privilege Spawl Index as a value between 0 and 1, the result of which can be explained as follows:
= 1: makes lateral movement techniques a sure thing, and attackers can readily reach systems that house your crown jewels
>0 and <1: lateral movement is difficult, but still very possible, as seen in most attacks
= 0: true protection against lateral movement. Introduce the concept of Zero Standing Privilege
How Can We Measure Privilege Sprawl?
When you have privilege sprawl, your attack surface grows. Armed with a compromised admin credential, attackers have more options they can use to gain a foothold in your ecosystem.
With 24x7x365 access, an attacker can connect to a system at any time and stay for as long as they want.They can move laterally throughout your network. Using this lateral movement, they can reach your organization’s crown jewels. The higher your Privilege Sprawl Index grows, the easier this becomes for cyberattackers.
How Can We Measure Privilege Sprawl? Goal = Privilege Sprawl Index of 0
The closer your Privilege Sprawl Index is to zero, the better your privileged access control environment is minimizing your lateral movement risk. A Privilege Sprawl Index of 1 means that it’s easy to move laterally through your network and discover the crown jewels and encrypt files.
There are ways to lower your Privilege Sprawl Index and your privileged access risk. Consider:
- Zero Standing Privilege: Remove all admin accounts from every endpoint
- Provision Access Just-in-Time
- Achieve Zero Trust for Privileged Access
But, even when you achieve a Privilege Sprawl Index of 0, it takes work to keep it. Implement continuous monitoring to maintain Zero Standing Privilege.
To learn more about effective privileged access breach containment, schedule a demo of Remediant SecureONE today.
Are you ready to learn more? For a deeper dive into how the Privilege Access Sprawl Index works, check out the recording of my Identity Defined Security Alliance webinar.