Review: Stop insider attacks with these 6 powerful tools

Privileged Identity Management is based on the idea that a common element of most advanced threats involves obtaining the credentials of an administrator, super-user or even a program with local admin rights. Armed with those credentials, the attacker can turn internal systems against themselves, rewrite security policies and remain undetected.

Privileged Identity Management tools lock down those special user credentials so that even successful breaches are only done against low-level endpoints that can’t do much harm. Should attackers on a compromised system attempt to elevate those privileges, not only will they be quickly detected, but any process that attempts to run will be blocked.

For this review, we looked at BeyondTrust, Lieberman Software, NetIQ, CyberArk, Centrify and Viewfinity. This is still an evolving area, and companies are approaching it from different perspectives. For that reason, this is not a head-to-head comparison, but more of an analysis of how each vendor approaches PIM.

+ Also on Network World: Old-school anti-virus vendors show off new tricks +

Each vendor seemed to shine in at least one area. The Viewfinity Privilege Management suite worked well in locking down the privileges of all users, and was the best at doing so with a very light touch that is completely invisible to most users.

The Centrify Server Suite and Privilege Service products eliminated the traditional need for a password vault, giving users access to network assets as needed using their normal logins, and removing multiple passwords from the equation all together.

The CyberArk Privileged Account Security Solution is one of the most comprehensive systems that we tested because it’s made up of five distinct elements for a completely rounded security picture.

The core of the Lieberman Software solution is its Enterprise Random Password Manager which can randomize thousands of passwords in just a few minutes to ensure that even in the event of a captured password, it won’t be good for long.

NetIQ’s Privileged Account Manager concentrated on the often-overlooked area of non-human accounts which might be held by certain programs or processes, as well as any user who has accidentally been given greater access than needed.

And the BeyondTrust PowerBroker UNIX & Linux product takes PIM out of the Windows environment and over to Linux and Unix systems, where it’s sorely needed. (Watch a slideshow with screen shots of each product.)

Here are the individual reviews:

BeyondTrust PowerBroker UNIX & Linux

The BeyondTrust PowerBroker UNIX & Linux product only works with those operating systems, though it can tie into a management console that is able to control all systems on a network, including those protected with the BeyondTrust PowerBroker for Windows product. For this review, we only looked at Linux systems. All BeyondTrust products are perpetual and server based. PowerBroker pricing starts at $199 and volume discounts apply.

When PowerBroker is initially installed on a network, a tiny bit of code is installed on every Linux machine to act as an agent that communicates back to the central security server. Thereafter, policies for each user and every possible command can be imported from other sources or created using the main interface. Although there is a very clean GUI, BeyondTrust officials say the vast majority of their Linux users prefer the command line interface. As such, much of our testing was done using the command line.

PowerBroker takes the concept of least privilege to the extreme. Once installed, all requests by users to run a process, either remotely or on a local machine, are sent out to the authorization server. There are a lot of rules that can be set based on things like the actual command that needs to be run, the user doing the requesting, their location and even time of day. The authorization server checks the policy file and then either OKs the user to run the command or rejects them. In either case, the request and the resolution are logged.

Should a request be approved, it does not necessarily mean that the process will run as the root user. Policies can be set so that commands are run from lower-privileged accounts as an extra layer of security. So a user may want root access to run a process, but instead have that process run as some type of admin or even a normal user should doing so be possible. PowerBroker can be configured to only give out the absolute minimum permission level needed for each process.

In our testing, any attempts to circumvent the authorization server failed. By default, if the authorization server can’t be contacted, such as if a network cable is disconnected, all requests are denied. Attempts to gain root or administrator access to local machines without going through the authorization server are immediately shutdown. And all communication between the local machine and the authorization server are protected using AES encryption to prevent snooping or spoofing.

The log file of every user request is stored at a central server which is not accessible from any of the client machines on a network. So even insider threats won’t be able to cover their tracks. Bringing up the PowerBroker console, it’s easy to spot all failed requests in the daily log file, which are highlighted red in what is likely a sea of green approvals. That way even if a user is just testing the defenses of a system or database, those attempts will get logged. Reports can be examined at any time by policy server administrators, or set to be delivered in various forms like e-mail on a schedule.

As an option, sessions from users can be recorded and played back later. This can be set so that automatic recording happens based on certain events, such as higher level commands being issued or a user remotely controlling a machine other than the local one, or whatever an administrator feels is necessary to maintain security and compliance. Because most users are making use of the Linux command line interface, much of this recording is simply capturing text and keystrokes, which makes the files relatively small. Data limits can be set however if space becomes a problem, with the program only capturing, say, the first 500k of data, which is usually enough to get an idea what a user is up to.

When using the recording component, even erased keystrokes are captured. We tried to simulate a user thinking about entering a command, like one that would erase a file, and typing it before chickening out and changing their mind. Even so, as long as we actually typed the command, that process was recorded even if it was never sent.

Many Linux administrators are likely using SUDO to enforce least privilege policies. As a nod to that, BeyondTrust has a version of PowerBroker called the PBSUDO Policy Server that integrates most of the features of PowerBroker for SUDO users, with the most important addition being that it removes SUDO command authorization from the local machines, protecting them on a remote authorization server just like the main PowerBroker version of the product.

A final component to the PowerBroker suite is the BeyondInsight tool, which uses analytics to identify anomalous behaviors and first-time events. So if a user has always logged in locally but suddenly is working remotely, that might get flagged. Or if an administrator of one part of an organization suddenly begins poking around in areas that they are not responsible for, that would also likely raise a red flag. The one negative with this tool is that it takes a very long time to become useful, with a minimum baseline of three months. Thankfully, the user interface showing all the command lines that are approved and denied works pretty well in the meantime, especially if someone takes the time to become familiar with normal network operations.

Where BeyondInsight can really help is with very large organizations, or situations where misconfigured policies are allowing some users to do things that they should not be able to accomplish. It can catch rogue trusted insiders, but also incorrectly configured policies that might accidentally be allowing unwanted processes and commands to execute.

NetIQ Privileged Account Manager 3.0

Privileged Account Manager from NetIQ, which is now under the umbrella of Micro Focus, defines privileged accounts as those that are able to access files, run programs and add or change the rights of existing users. They also concentrate on non-human accounts which might be held by certain programs or processes, as well as any user who has been given greater access than most users. That’s a pretty huge group of people for most organizations, but Privileged Account Manager is able to manage them using automation alongside the direct monitoring of user activities.

The heart of the NetIQ product is the Enterprise Credential Vault, which stores all passwords for assets in an encrypted data safe. Users don’t need to know the passwords for the systems or assets that they need to access. Instead, they apply for access and if approved, are given a temporary password that is only valid for a certain period of time before it expires and becomes useless. These passwords can be given out automatically based on policies or may need to be approved by a policy server administrator. Almost any rule can be configured based on users and the security surrounding the requested asset. Because of the automation aspect, programs like databases and cloud services can make use of the vault as well for valid automatic processes that they need to perform on a regular basis.

Setting up the various policies is an easy process using the graphical interface. There are various categories to choose from when selecting rule groups, like Windows access and Oracle database password checkout rules. You can import an entire set of rules from Active Directory, or any other database program in the event there is already some form of user or password-based security within the organization.

Administrators can also set up rules for what happens after a session is authorized, which can be very specific. For example, users can be restricted from entering the delete command for any file, or prevented from opening notepad to copy data down to the local machine. You can also specify certain capital offenses, such as trying to run the services command on a Windows server. Going beyond just blocking, performing one of those grave offenses can automatically disconnect the user, ending their session, revoking their rights to that system and their password, and notifying administrators as to what happened and why.

We tested this by trying some sneaky ways to get around capital offenses on a protected machine and every time we were met with a session disconnected screen and revoked credentials. On the admin panel side of Privileged Account Manager, those forced disconnects glowed bright red and our clear pattern of attempted abuse was obvious. We are fairly sure that had we attempted this on a real production network, that someone would be coming to have a talk with us, or probably to escort us out of the building.

Policy administrators even have control over the password checkout requests themselves, assuming the system is configured to have a human in the loop. For example, if a user requests a high level of access to a certain server and the explanation given does not justify it, the administrator can instead authorize a temporary password, but assign that person lower-level access. An explanation of why the lower level access is being granted can be sent along with the authorization so the user knows the logic behind the ruling.

Full sessions can be recorded by Privileged Account Manager. There is an excellent review program that lists all of the commands that a user entered on the left side while a full view of the desktop plays like a movie on the right. You can select any part in the video by clicking on the left-side command window, so you can see exactly when and how the user tried to open services for example, or it can be controlled like a normal video with play and fast forward buttons, or by clicking on the movie’s position bar at the bottom of the screen. This can be examined any time after a session has ended as part of a forensic investigation, or in real time as the session is going on in case there is an active investigation involving a specific user.

And lest the policy administrators start to abuse their power, all of their actions are also logged, so someone can be assigned to watch the watchers for even more robust security.

The automatic features that can be programmed into Privileged Account Manager 3.0 are impressive and can really help to stop both egregious offenses and also stupid user mistakes, both of which can be very costly to an organization. But Privileged Account Manager really works best when humans are also monitoring the sessions and actively responding to user requests for access to system resources. The interface is sleek enough that a single administrator can easily manage quite a few users, with requests perhaps having to wait a few minutes for approval at peak times.