Generic accounts are your SIEM blind spot
Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Event log management tools have evolved into a proactive solution set called security information and event management (SIEM), which has enabled IT to better correlate data provided by security software and appliances across the network. Properly leveraged, the data presented by SIEM systems has been a game changer for IT security teams, so much so that many compliance initiatives require organizations to deploy SIEM.
But for all the improvement we've seen since SIEM entered the picture, this powerful technology has one Achilles' heel. Though SIEM can correlate a mountain of security data to create a picture of singular events, these frameworks are limited in their ability to track the most powerful users and accounts within IT. Privileged credentials, which I like to call generic accounts, are the "super user" logins that grant IT staff access to change configuration settings, run programs, and access sensitive data everywhere on the network.
BACKGROUND: The convergence of SIEM and log management
SIEM systems were not designed with privileged identities in mind, so they have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible. And by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. As a result, when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.
This SIEM blind spot is a special concern when you consider that most organizations seldom change their privileged credentials, and these powerful logins are often widely shared for the convenience of IT both among the staff who service the infrastructure and -- depending on the attitude of help desk personnel -- with individuals outside of IT.
Repeat after me
Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.
What's worse, the lack of accountability with these generic accounts makes it extremely difficult to detect application vulnerabilities that could be exploited by external parties to steal sensitive information. When a hacker discovers a bug in a Web application that uses a generic account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can't tell the difference.
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- Cloud Computing Drives IT and Business Agility Hybrid Cloud Accelerates Time to Value What is the main focus for IT in your organization - cost or agility? Many IT discussions today focus on cost controls rather...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!