Abuse of privilege
NetWrix: Build a solid bridge between security and auditing for better incident management
Visitors to the recent Infosecurity Europe show were bombarded by vendors offering to secure their infrastructures from the outside.
There was plenty of talk about 'bring your own device' (BYOD) and increased threats from mobile devices; statistics and reports warned of the growth in cyber crime; and the pros and cons of cloud security was still a hot topic this year. This is all very important of course, but surely it is important to also address one of the biggest potential threats to any organisation; the threat from within.
While most threats still come from outside, Verizon's latest 2013 Data Breach Investigations Report said that insider threats accounted for 14 per cent of total incidents. Since 2005, 441 data breaches that involved a malicious insider led to the compromise of more than 32 million records, according to statistics collected by the US Privacy Rights Clearing House.
The weakest link to any organisation is not systems; it's the human factor. While the insider threat is usually assumed to be from rogue employees or planted ‘moles', it is important to also consider the role of IT administrators and managers that already have privileged access to sensitive information, resources and controls without having to hack into anything.
They have the ability to stop and start systems, make critical changes such as granting access rights and can even delete security logs without trace. We all prefer to believe we can rely on trusted employees to do the right thing but it would be naive not to think it is possible that someone is going to abuse their privileges. Also, if they become disgruntled or plan to leave for a competitor, the risk is even greater.
Despite this, the majority of organisations have very limited capabilities to trace specific IT events to specific users with any certainty. For example, one very large retail organisation recently told me that they had 90 IT administrators, including a number working on contract through an outsourcer, yet they had no means of determining which changes were made by which administrator at any given point in time.
We can't stop the occasional IT admin turning bad or simply making mistakes because they are not up to the job, but we can make sure we know ‘who, did what, where and when', to act as a deterrent or to catch the culprit immediately after the event. Unfortunately many companies do not have quick and easy access to this information, and very few IT teams really know what is happening in their infrastructure at any given time. Even some of the largest organisations still have to trawl manually through files of native logs to get the answers.
It's not just about the trust of privileged users. There is the question of how quickly you can identify a change in your infrastructure that has caused a problem or failure by a common user error or something more malicious.
Take Active Directory for example, it is at the core of 98 per cent of all modern networks: yet the majority of organisations can't tell you who has made changes, what they did and when they did it. The same is true for changes to the password policies and procedures that underpin IT security and despite our reliance on email, it is not standard practice to monitor for erroneous or malicious changes to MS Exchange.
Furthermore, when it comes to basic file access, many companies do not know who accessed a file, when it was accessed and if the attempt succeeded or failed.
The answer of course is effective IT change auditing. The problem is that auditing sounds like an additional headache and a lot of hassle when there is already not enough time in the day to keep the corporate network safe. So it is not surprising that so many companies do little more than pay lip service to it. A recent report from Quocirca found that many audits are only carried out before a compliance check or as part of an investigation after an event such as data loss or server failure.
While many organisations still rely on time consuming manual processes for change monitoring and auditing, others take a costly sledgehammer approach to the problem and opt for a SIEM (security information and event management) solution. However, SIEM integrates other functions such as automatic remediation and intrusion prevention, making it an expensive and complex option if your focus is on audit reliability, speed and consistency. Also, SIEM still relies largely on interrogating native audit logs that can be tampered with by privileged users.
There is another way. Specialist change auditing software can deliver a reliable and consistent view of what is going on at around a third of the cost of SIEM. It captures multiple streams of data from multiple sources, then filters, translates, sorts and compresses the results for easy access, storage and archiving - and also provides real-time alerting and automated reports.
It also provides an accurate picture of network activity by capturing a ‘snapshot' before and after a change is made and there are even video tools that effectively provide ‘CCTV' for IT systems.
Change audit must be taken seriously and not just for compliance or to keep the auditors happy. If not, by the time you have identified an abuse of privilege or insider error and got to the source – it could be too late.
Aidan Simister is UK and Ireland country manager of NetWrix