Generic accounts are your SIEM blind spot

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Event log management tools have evolved into a proactive solution set called security information and event management (SIEM), which has enabled IT to better correlate data provided by security software and appliances across the network. Properly leveraged, the data presented by SIEM systems has been a game changer for IT security teams, so much so that many compliance initiatives require organizations to deploy SIEM.

But for all the improvement we've seen since SIEM entered the picture, this powerful technology has one Achilles' heel. Though SIEM can correlate a mountain of security data to create a picture of singular events, these frameworks are limited in their ability to track the most powerful users and accounts within IT. Privileged credentials, which I like to call generic accounts, are the "super user" logins that grant IT staff access to change configuration settings, run programs, and access sensitive data everywhere on the network.

BACKGROUND: The convergence of SIEM and log management

SIEM systems were not designed with privileged identities in mind, so they have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible. And by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. As a result, when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.

This SIEM blind spot is a special concern when you consider that most organizations seldom change their privileged credentials, and these powerful logins are often widely shared for the convenience of IT both among the staff who service the infrastructure and -- depending on the attitude of help desk personnel -- with individuals outside of IT.

Repeat after me

Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.

What's worse, the lack of accountability with these generic accounts makes it extremely difficult to detect application vulnerabilities that could be exploited by external parties to steal sensitive information. When a hacker discovers a bug in a Web application that uses a generic account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can't tell the difference.

Fortunately, SIEM providers have taken notice and are starting to collaborate with privileged identity management (PIM) vendors to offer solutions that close this visibility gap. Together SIEM and PIM can show not only when and where critical events occurred, but also precisely who was responsible for any action that required the use of privileged "super user" accounts.

In combination, these technologies can help ensure that only authorized personnel can access an organization's most sensitive data, change configuration settings and run programs on the network. The products also work in concert to generate an audit trail to correlate the actions taken by privileged users with the security events that might result. By removing anonymity, the products introduce accountability for all users who access the organization's most critical IT resources -- revealing who had access to what systems and data, when and for what purpose.

Deep, new technical integrations between SIEM and PIM deliver top-to-bottom auditing that helps organizations determine the root causes of security events. These integrations can also help IT security staff more quickly determine the right corrective actions. For example, once it's determined that unauthorized access was attempted by an individual inside your organization, there's no point in shutting down your website "just in case" an application has been compromised. Conversely, should you determine that unauthorized access was attempted by a service or application, there may be a case for closing an application and launching an investigation.

Either way, you'll be making better-informed decisions that could ultimately prevent a costly, and potentially public, data breach.

Lieberman Software pioneered the privileged account security market, having developed its first product to address this need in 1999. The company provides privileged identity management and security management solutions that secure the multi-platform enterprise. By automating time-intensive IT administration tasks, Lieberman Software increases control over the computing infrastructure, reduces security vulnerabilities, improves productivity, and helps ensure regulatory compliance.

Read more about infrastructure management in Network World's Infrastructure Management section.

This story, "Generic accounts are your SIEM blind spot" was originally published by Network World.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon