December 2, 2020
Hosted by Tom Field, Senior VP of Information, ISMG
Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.
Guests: Tim Keeler, CEO & Co-Founder, Remediant
Keeler, founder and CEO of Remediant, worked at Genentech/Roche from 2000 to 2012 and was a leader on the security incident response team. Later, as a security consultant, he served clients that included UCSF, Genentech/Roche, Gilead Sciences and CardioDX. He is a GX-certified security incident handler and earned his GX security leadership certification from GIAC.
Increasingly, cyberattacks are taking advantage of privileged accounts, and traditional PAM controls are not enough to defend against them. Tim Keeler of Remediant discusses the role of zero standing privilege and just-in-time privileged account defense.
In an interview with Tom Field of Information Security Media Group, Keeler discusses:
What’s wrong with how we traditionally have approached privileged access management, especially in today’s environment?
It’s really about recognizing how breaches are happening today and how we’ve been trying to solve this over the last 20 to 25 years. The way we’ve implemented privileged access controls and security has been traditionally through the password vault method. While there are a lot of valid use cases for password vaults, we really have to recognize how attackers are breaking into networks and harvesting and compromising credentials and using the credentials to laterally move around the network. Fundamentally, what it comes down to is recognizing and understanding where accounts have administrator-level privilege. Large enterprises dealing with a very complex network have to understand that that’s changing on a regular basis. Even if you have a password vault in place, it doesn’t mitigate all the IT administrators that have access. And that’s what attackers are exploiting today.
We hear an awful lot about socially engineered attacks and ransomware. What are the breach trends that you’re seeing and how do they involve privileged accounts?
If we take a look at what’s happened since the COVID-19 pandemic started, we’ve seen a 148% increase in the number of cyberattacks that have been launched, especially against large corporations and financial-based attacks. I’ve seen a large increase in ransomware attacks, and credentials are a key part of that. It’s been traditionally thought of as: If you have a backup mechanism or an EDR solution, then you’re completely protected. But what we’re finding out through these attacks is a piece of malware will get installed on a system, and then they’ll actually start using a credential harvesting method to use valid credentials to propagate around the network. And the troubling aspect is it’s really hard to detect when you have valid use of credentials. It just seems like,
“Hey, this is a legitimate software that’s being installed.” Defining Standing Privilege
Let’s talk about standing privilege. What exactly is it? And what is its role in an attack?
With standing privilege, typically if you log into any workstation or server and you look in the administrators’ group, you’re going to have different accounts that are there. It might be a combination of local accounts, domain accounts and domain groups. That’s where a lot of organizations get into trouble, because you can have a lot of message groups, and that incurs lots of privileges that can often be unintended. And those accounts are the ones that have persistent admin privilege. That’s what we call standing privilege in the environment.
What’s the role of zero standing privilege in defending against attacks?
Zero standing privilege is rooted in the concept of least privilege, which is something that we’ve been preaching in the industry for a very long time now. IT administrators generally have 24-7 access to lots of systems on the environment. And in a lot of cases, that’s being allowed access to everything. And this applies to server administrators, the IT help desk and workstations – this just sprawls out of control. When you actually talk to the IT administrators, they’re generally just logging into a small number of systems at any given time. So what zero standing privilege is all about is reducing a lot of that risk because, when we have everyone with access to everywhere, it becomes completely unmanageable. And zero standing privilege is about removing that access and making that dynamic. It’s about understanding which accounts absolutely need 24-7, persistent admin privilege and minimizing those accounts as much as possible. All the others we can start removing. The goal and the concept around this is to have zero standing privilege, meaning no accounts on all the systems on the network should have a persistent admin privilege. Looking at this from a defense perspective, if you have this control in place, you dramatically reduce or completely eliminate the risk of lateral movement when an attacker has valid credentials and they’re trying to authenticate to systems on the network. And that’s really differentiating between authentication, which is what password vaults are designed to help solve, versus authorization – understanding what accounts have privilege on what systems. We have to ask ourselves: How do we put in effective security controls if we assume that an admin-level credential is going to be compromised? Because we all recognize that admin credentials are going to be compromised, whether it’s a phishing attack or other clever means that attackers use.
One of the things that makes Remediant unique is your just-in-time approach. Can you describe that for me?
This is a key principle of zero standing privilege. It’s like, “OK, if you’re taking away everyone’s access, how do you actually give access to the administrators when they need to do their job, whether it’s troubleshooting a server or workstation or any of the many tasks that IT administrators do?”
This concept of just-in-time administration that we came up with was making this completely dynamic and tying this in with strong authentication.
If you’re an IT administrator and need to log onto server A or server B, you essentially go through our portal, log in with two-factor authentication and then you request access to the system that you’re trying to log onto for a certain period of time. If you need access to a server for four hours, we are specific about granting that account administrative-level privilege on that specific system. Rather than giving access to lots of systems, we’re making it as dynamic and time-based as possible. And this way, it’s really hard for an attacker to know exactly where that account has administrator-level privilege – especially when it’s time-based.
How is Remediant helping its customers to achieve this zero standing privilege that we’ve talked about?
For us, it’s about adding value to the customer and helping them deal with the complexity of the environment. It’s about creating a technology that gives you visibility into administrative-level privilege. And this is not just something that you run once a quarter or once a year. This is all about continuous discovery, because active director groups are constantly changing, and systems on the network are constantly changing as it relates to admin privilege. Creating that visibility is really important. The time to deploy is a real key value for us. We don’t have to deploy agents out to systems. We have a very high-performance technology that is able to handle systems – even if you have hundreds of thousands – all very, very quickly. The time to value is an important deployment speed – being able to understand where administrator accounts are and then help you put the controls and policies in place to reduce that and apply just-in-time administration.