Using Securonix for Directory-Based Service Account Monitoring

I was recently working with one of our customers, a very large health care services and administration company, to implement the Securonix solution to solve a different kind of enterprise network security problem.  Both the information security team and the network administration people were struggling with managing and monitoring accounts with High Privilege Access, particularly Service Accounts.   Service accounts are intended to provide high privileged access to IT resources for setup, configuration and testing purposes. These accounts are not intended for interactive logins (where a user physically logs in by entering credentials) other than for very specific short term uses.

Service accounts aren’t treated by IT like user accounts but at the functional level they ARE the same as user accounts and usually have higher privileges than the average user. You often find users using accounts configured as Service accounts, or even low-privilege users gaining access to resources by using the authentication credentials of a Service Account. For obvious security reasons, the IT and Network administration people needed a way to certify the access privileges and monitor Service Account activity to make sure that these accounts are not being abused or getting compromised.

We suggested that that Securonix was an ideal tool for getting a handle on the Service Account problem. When using  Securonix, it connects to AD and LDAP natively and is able to automatically identify service accounts as well as other high privileged accounts in the IT environment. The  policy at this customer site is that when a Service Account is provisioned, there is a 14 day window where interactive logins were permitted to facilitate configurations, implementation and testing. After that, Securonix continuously checks for interactive logins by service accounts and generates an alert whenever it detects an interactive login to a Service Account.

The results were spectacular. The customer was able to clean up the old unused and orphan Service Accounts, terminate the ones that were being used improperly and monitor the remaining accounts.

Instead of a manual account certification process and hundreds of questionable or suspicious events and logins a day, they now had a continuously updated dashboard, complete and robust reporting, and a manageable number of alerts every day. Going forward, they are configuring Securonix to automatically update the Identity and Access Management solution when new conforming accounts are provisioned, and flag nonconforming accounts for approval by IT Management.

The Ghost in the Machine: Tracking Stealthy Fileless Malware in the Windows...
5 Cyber Threats Facing the Financial Service Sector in 2024
What is Network Detection and Response (NDR)?
What is the MITRE ATT&CK Framework?