Generic accounts are your SIEM blind spot
Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Event log management tools have evolved into a proactive solution set called security information and event management (SIEM), which has enabled IT to better correlate data provided by security software and appliances across the network. Properly leveraged, the data presented by SIEM systems has been a game changer for IT security teams, so much so that many compliance initiatives require organizations to deploy SIEM.
But for all the improvement we've seen since SIEM entered the picture, this powerful technology has one Achilles' heel. Though SIEM can correlate a mountain of security data to create a picture of singular events, these frameworks are limited in their ability to track the most powerful users and accounts within IT. Privileged credentials, which I like to call generic accounts, are the "super user" logins that grant IT staff access to change configuration settings, run programs, and access sensitive data everywhere on the network.
BACKGROUND: The convergence of SIEM and log management
SIEM systems were not designed with privileged identities in mind, so they have no way to tie events that are triggered through use of privileged accounts with the individuals who may be responsible. And by itself SIEM has no way to distinguish between applications using a root account and an individual who might use those same credentials to access sensitive data or make undesired configuration changes. As a result, when it comes to privileged accounts, your SIEM system can show you little to differentiate between normal events and criminal activity.
This SIEM blind spot is a special concern when you consider that most organizations seldom change their privileged credentials, and these powerful logins are often widely shared for the convenience of IT both among the staff who service the infrastructure and -- depending on the attitude of help desk personnel -- with individuals outside of IT.
Repeat after me
Data breaches often involve the unauthorized use of highly privileged accounts, and when this happens most organizations are powerless to identify the individuals or processes responsible. The best that can be done is to change a few passwords and wait for the cycle to repeat itself. It's a Groundhog Day experience that's seen in far too many enterprises.
What's worse, the lack of accountability with these generic accounts makes it extremely difficult to detect application vulnerabilities that could be exploited by external parties to steal sensitive information. When a hacker discovers a bug in a Web application that uses a generic account, the root problem is not that the account has been compromised but that the application itself has been hacked. It can be impossible to detect the difference between a faulty application and a human being with unauthorized access when the SIEM system can't tell the difference.
- How Four Citrix Customers Solved the Enterprise Mobility Challenge Managing mobile devices, data and all types of apps-Windows, datacenter, web and native mobile- through a single solution.
- 8 Steps to Fill the Mobile Enterprise Application Gap Traveling executives and Millennials alike expect to communicate, collaborate and access their important work applications and data from anywhere on whatever device they...
- Seattle Children's Accelerates Citrix Login Times by 500% with Cross-Tier Insight Seattle Children's is a leading research hospital with a large and growing Citrix XenDesktop deployment. With ExtraHop, the IT team at Seattle Children's...
- McKesson Makes Application Hosting for Hospitals Faster, More Efficient With ExtraHop, McKesson identified the root cause of slow Citrix XenApp application launches and adopted a more intelligent, proactive IT operations model that...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!