Tales from the Road: The Pitfalls of PAM
by JD Sherry, on Apr 01, 2021
Privileged Access Management (PAM) isn’t easy. Even when you do it right, things can be very bumpy.
There’s a solid idea behind PAM:
- Be really careful who gets privileged access.
- Monitor sessions.
- Vault login credentials.
But, what about who keeps that privileged access? What happens when they don’t need it—or shouldn’t have it—anymore?
Privileged Access Management in real life: An example
Suppose you own a vacation property near San Diego. Every week through Airbnb, you give a key/code to an authorized guest. Each one of those guests signs the papers, pays for their week, and hopefully doesn’t tear up the place.
You’re managing access to that property.
At the end of each guest’s stay, you’d ask for the key back, right? Guests wouldn’t just keep that key or access code in case they rent again, someday, if they needed to. …
Of course, you’d get the key back.
Why is Privileged Access Management any different?
If each tenant just kept their key, soon you would have 52 keys to your front door out there—plus any keys you don’t know about. Suppose one tenant lent their key to a friend. Another leaves theirs in a car on a keyring with your address. A third chucks it into a junk drawer in the coffee room in their office.
Your privileged access management process for your vacation property just failed.
Now, it’s just a matter of time before someone finds a key, breaks in, and starts moving from room to room, stealing stuff and causing mayhem.
That sounds incredible—like something that could never happen. But it does—every day, in many, many organizations of all shapes and sizes across the globe.
“All kinds of controls”
Companies put all kinds of controls around how privileged access gets defined and who gets it. They spend thousands of dollars on a privileged access management solution—implementing it, training SMEs to use it, maintaining it, auditing it. They may even have an approval workflow to help with audit and compliance that lacks any automated enforcement.
These companies grant privileged access to the right people. But, they never take it away. Privileged access becomes excess standing privilege. In many cases, that access is always on—24x7x365.
Would you bring your PAM implementation home to your mother?
You worked hard to implement PAM and get it right. You—and your boss—don’t want to hear that your privileged access is a mess, even if your PAM solution is perceived to be working.
How is it possible to have excess standing privilege AFTER you have spent so much time, money, and effort on implementing a PAM solution?
It happens more than you think. When I meet with clients in the field, I tell them all the ways excess standing privilege catches fire within companies just like theirs. It even happens at the big Fortune 100 companies that have the resources that others don’t.
Excess standing privilege emerges when you can’t quickly find and deactivate privileged access that’s gone stale, that’s not needed anymore.
Our clients might have already had the ‘deficiency’ talk with their Big 4 auditor. Or, maybe they’re having a Come-to-Jesus moment after years of pushing standing privilege down the many pages of their to-do lists. Some have gone through a failed pen test or experienced a breach.
It doesn’t matter. You’re not alone if you’re concerned about excess standing privilege. You’re not alone if you have excess standing privilege.
You’re also not alone if you need help.
That’s what Remediant does.
We’re not from Corporate. We’re here to help
When we take our show on the road, we get some surprised reactions. Clients think “there might be a problem” with standing privilege. They haven’t gotten around to looking into how big it is—or if it exists at all. They don’t always really want to know.
Attackers count on folks who put their heads in the sand when this topic comes up.
This quarter, we went into an American multinational corporation, high up in the Fortune 500 list—the kind of place where people just presume they’ve got all their eggs in the right baskets.
We walked in, ran SecureONE for one hour, and found more than 1 million instances of standing privilege. That’s 1 million risks for adversarial lateral movement across their system, an average of over 500 instances of standing admin privilege per system.
We also found nearly 6,000 unique admin accounts and an average of 700 instances of standing privilege per workstation.
This is a company that’s invested in privileged access management and that comes under the public-company scrutiny of the big audit firms.
Big companies, like small companies, hand out the keys, but don’t always take them back when employees have completed their tasks. They also don’t always change the locks.
Everyone has some standing privilege. The question is: how much?
Each one of those numbers means a chance to land the next breach headline in the news.
Standing privilege = Ticking time bomb
Excess standing privilege can sit neglected, for years, before you know you even have a problem. Hackers can steal the user credentials (or even hashes) of your privileged access users through tools that sniff out usernames and passwords in your system memory. They can install Remote Access Trojans (RATs). Then, they can just lurk undetected, using those forgotten accounts, pilfering data, and installing malware—essentially becoming digital insiders.
That can go on for years. It has. Just look at the SolarWinds hack.
Maybe it’s time to consider a solution like Remediant SecureONE that deploys easily and needs no agents. We can scan 150,000 endpoints in just a few hours AND coexist with your existing PAM solution. We’ll integrate with EDR too, to harden your endpoints and contain attack spreads. To enable privileged user workflows, we also integrate with IGA and ITSM solutions.
Remediant SecureONE also doesn’t take an army of FTEs or consultants to maintain.
What you get with Remediant
We’re taking a fresh, laser-focused approach to privileged access management. We remove 24x7 admin rights. We stop ransomware by preventing lateral movement. With SecureONE, clients can administer admin access precisely, just-in-time. We don’t need agents or a big time resource commitment. In just 5.5 hours, we can give you a “hot off the presses” PoV (Proof of Value) report on the health of your network from a privileged access perspective.
Here’s an example of the type of data uncovered by Remediant SecureOne in less than one business day:
SecureONE reporting shows you the high-altitude data like:
- Total instances of standing privilege
- Number of unique admin accounts discovered
- Average instances of standing privilege per system, server, and workstation
- Cross-tier access (accounts that can access both workstations and servers)
You get detailed privileged access data too
Beyond the executive summary data, SecureONE assessment reporting breaks down the persistent “standing” admin risk in your environment. You’ll get an infrastructure and scanning overview that details standing privilege across Active Directory (AD) users and groups. You’ll also see the top accounts in your company in terms of risk.
SecureONE also highlights best practice violations by identifying accounts that don’t comply with Microsoft’s tiered best practices.
Detailed action plans
But, beyond just bayonetting what hasn’t worked in the past, the Remediant PoV report tells you where you are today and provides concrete advice on how to get to your desired future state, where Zero Standing Privilege and Zero Trust for admin access becomes a reality.
We’re there with you to help you gauge the problem, and develop the solution.
It doesn’t take an army of resources to deploy SecureONE or to get a Zero Trust environment up and running. In fact, we find that customers can get to a full ZSP model in less than 3 months and with less than one FTE maintaining the solution.
When clients ask us what we do—or even why we exist—we drill it down to SecureONE’s four key benefits.
With Remediant SecureONE, you:
- Reduce your attack surface by preventing lateral movement
- Gain visibility into privileged accounts
- Remove 24x7 access
- Quantify risk reduction by moving toward Zero Standing Privilege
With SecureONE, you can achieve an automated 99% reduction in standing privilege in just minutes. You can sweep away years of excess standing privilege in just a few hours.
With SecureONE, you protect your other investments in IT security with a solution that’s built to coexist with them. By removing the Zero Standing Privilege that lurks in your networks and systems, you’ll ensure a stronger ecosystem of IT controls, and a more comprehensive arsenal of Privileged Access Management tools that help you sleep better at night.