Generic accounts are your SIEM blind spot
Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Event log management tools have evolved into a proactive solution set called security information and event management (SIEM), which has enabled IT to better correlate data provided by security software and appliances across the network. Properly leveraged, the data presented by SIEM systems has been a game changer for IT security teams, so much so that many compliance initiatives require organizations to deploy SIEM.
But for all the improvement we've seen since SIEM entered the picture, this powerful technology has one Achilles' heel. Though SIEM can correlate a mountain of security data to create a picture of singular events, these frameworks are limited in their ability to track the most powerful users and accounts within IT. Privileged credentials, which I like to call generic accounts, are the "super user" logins that grant IT staff access to change configuration settings, run programs, and access sensitive data everywhere on the network.
BACKGROUND: The convergence of SIEM and log management
SIEM systems were not designed with privileged identities in mind, so they have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible. And by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. As a result, when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.
This SIEM blind spot is a special concern when you consider that most organizations seldom change their privileged credentials, and these powerful logins are often widely shared for the convenience of IT both among the staff who service the infrastructure and -- depending on the attitude of help desk personnel -- with individuals outside of IT.
Repeat after me
Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.
What's worse, the lack of accountability with these generic accounts makes it extremely difficult to detect application vulnerabilities that could be exploited by external parties to steal sensitive information. When a hacker discovers a bug in a Web application that uses a generic account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can't tell the difference.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Privacy White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!