HEALTHCARE CASE STUDY:
Healthcare Rogue Access Privileges

Regional Healthcare Provider


THE BUSINESS

Client is a global healthcare company that provides medical technologies and services for global healthcare customers. Headquartered in the United Kingdom, the company is a world leader in healthcare technologies and solutions.

 

THE CHALLENGES

Privileged Account Monitoring

With over 4000 servers being used for various applications and processes, the company was unable to monitor activities carried out by high privileged accounts. With various security policies set in place, monitoring for privileged accounts and privileged account owners, there existed no technological solution within their existing security portfolio that would allow for data driven threat and risk assessments and monitoring of their infrastructure and sensitive information.

Data Egress of Classified Information

As a pioneer in the medical technologies space, the client has a large number of highly sensitive and proprietary design documents and sketches. Classified data specification is stored in the clients existing document management solution. These documents are stored in a common, central repository along with general unclassified documents. The security team was not able to identify users who may be downloading classified documents that do not meet their classification.

Rogue Access Privileges

Access Outlier Analysis – Detection of outlier access privileges held by user accounts, shared and service accounts using peer group comparison analytics. Securonix was implemented to extract all privileged accounts and correlate them to identities through its identity analytics module. The system then ingested all entitlements for these accounts and identities, providing automated reports that show the access outliers in their environment allowing the security team to mitigate access risk by providing visibility into accounts where some access needed to be removed, certified or excluded.

THE SECURONIX SOLUTION

Inactive Unix Account Cleanup

The client required an automated process that would detect inactivity of Unix accounts and flag for the suspension or removal of such accounts after a stated period of inactivity. Securonix was setup to detect inactivity of these accounts according to the customer’s policies and create alerts that would allow the security team to remove these accounts and privileges.

Service Account Monitoring

By policy, Windows Service Accounts are not allowed to perform interactive logon capability for a period of more than 14 days from the time they are provisioned. The client needed the ability to detect interactive logon activities that were happening past the set time frame and provide alerts on these activities.

Monitoring High Privileged Account Interactive Logins on Service Account

According to the customers policy, Windows Service Accounts are not allowed to perform interactive logon ability for a period of more than 14 days. The goal was to identify Unix and Windows non personal accounts as well as High Privileged Accounts with the ability to establish interactive logon sessions that are granted Administrative Access on servers that host critical systems or SOX L1 regulated applications and flag them for remediation.

Non Admin Accounts Present in Admin Groups

The client defined a goal to be able to identify Non ‘Admin’ accounts that are present in admin groups within the different directory services in the organization. According to the customer’s policy, users should never use their primary identity account present in admin or high privileged groups. Securonix Privileged Account Intelligence was used to detect such cases and flag them for remediation.

Terminated Users Access Privileges Cleanup

The objective was to create the capability to allow the customer to rapidly detect accounts and entitlements that are not deleted from the organizations directories within 48 hours of a user’s termination. Securonix was used to detect the termination flags in the company’s HR system and immediately identify events where employees were terminated while leaving their access entitlements intact.

Continuous Provisioning Control Violation

Detect accounts with privileged entitlements or accounts in privileged groups that are created directly on the Windows or Unix directory services thus circumventing the company’s IDM system. This was done by comparing account creation events to trace or evidence of creation in the IDM activity logs.

Smart Card Enforcement Violation

The client has strict rules and policies governing physical access through smart cards. The policy states that privileged accounts not having smart card authentication should not be seen logging in to systems. The capability was needed to detect such events and create the relevant flags and alerts.

Real time Fire call account Monitoring

Identify Fire call accounts that have been used on High Privileged Accounts on Windows/Unix Servers that do not show correlated check out activity in the vault(CyberArk).

Overview

Industry

  • Healthcare and Pharmaceuticals

Securonix Use Cases

  • Access risk monitoring
  • Identity Intelligence
  • Privileged Account Monitoring

Business Impact

  • Rogue Access Cleanup
  • Privileged Account Monitoring
  • Identification of Data Egress of Classified Information
  • Elimination of dependency on inaccurate manual processes

Data Sources

  • Corporate HR Directory
  • Active Directory
  • Powerbroker Identity Services
  • Unix Security Logs
  • Windows Logon Events
  • IDM Provisioning Logs
  • Firewall Account Checkout Activity
  • Document Management Checkout Activity
  • Palo Alto Networks Firewall Threat Activity Logs
  • DLP Events
  • Physical Security Logs

Solution Tour

  • Data Egress of Classified Information

  • Rogue Access Privileges

  • Business Impact

  • Real time behavior based analysis of document checkout of type of document from the document management system
  • Real time fraud analysis to identify frequent checkout of a single document type
  • Real time peer based activity analysis to identify users checking out documents not accessed by their peers
  • Identify documents sent outside the customer’s environment after document downloaded from document management system – analysis using Palo Alto FireWall logs
  • Identify documents sent out via a DLP egress point after it had been checked out from document management system having the same file name
  • Identify document sent out via DLP egress point after it had been checked out from document management system depending on the file size of document checked out
  • Monitor DLP egress activity after document type checkout from document management system

Spread across the globe in over 100 countries with IT privileges spread across multiple Active Directory Domain Controllers, this healthcare solution provider is unable to identify the access privileges that are required by its employees and contractors to perform their duties. With a complex Active Directory that has multiple nesting of permission groups and privileges, it is difficult for them to identify and cleanup rogue access permissions associated with user accounts, service accounts and shared accounts.

Even though the client has a very mature information security practice, as well as corporate awareness, traditional tools that they were using could not provide the capabilities for detecting rogue access permissions, risk assignment to access permissions and assignment of an identity perspective to each risk associated to the organization.

Provide Privileged Group Data Owners With a Clear Certification Process

The objective was to allow corporate data and application owners from multiple domains in the company to log into Securonix in order to review high risk users and privileges. This was done on a complex environment using Active Directory Authentication transactions that were run across multiple domain controllers with no trusted connection between the different domains.

Privileged Account Monitoring

The organization now has the ability enforce all of their existing security policies and detect the riskiest violators of their security policies. The Securonix platform provides the customer with the ability to enforce security policies and take immediate action on violations as opposed to their previous manual quarterly process. Privileged account monitoring has allowed the customer to implement security policies and have effective monitoring controls to detect violators in real time for previously non existing policies. The Securonix solution also included detection and monitoring capabilities for new risk vectors in their infrastructure and critical applications.

Data Egress of Classified Information

The client now has the ability to monitor data egress of their classified information. By introducing a behavior and peer based analytics approach to analyze risk, the client is now able to monitor risk and detect advanced persistent threats as they evolve. The Securonix Investigation Workbench was configured to allow the security and forensics team to investigate events from different dimensions, allowing them to visualize and understand the true threat scape posed by Advanced Persistent Threats (APTs). By implementing behavioral and peer based approach to risks, the client has detected risky events and security violations on their classified data and were able to mitigate the threats before damage was incurred.

Rogue Access Cleanup

For the first time the client has the ability to provide the data owners with the identity of the riskiest access privileges present in the groups that they own. They have the ability to identify rogue access permissions held by user accounts and non-personal accounts. The client’s security team now has the ability to detect derived permission and unauthorized permissions held by user accounts and service accounts when they are in nested directory groups. By risk scoring the rogue access privileges, the client has the ability to prioritize access cleanup during their quarterly access certification process.