The Human Factor – Monitoring for High Privileged Accounts

People tasked with securing network infrastructure, digital data and applications have always been faced with an insoluble dilemma.  There has to be a staff of experts and technicians to maintain the system, repair it when it fails, and solve problems extending to the most critical systems.  Those people need the necessary credentials, entitlements and access permissions to do their job, but the problem is simply this: They’re people.  And there is a statistical certainty that some small percentage of them will be bad, or go rogue or somehow their credentials will get compromised.  Of course, with their combination of expertise and virtually unlimited access, they have an ability to do damage of very significant proportions to their position within the organization – they represent the risk of a quintessential “Black Swan” event, a low-likelihood risk with a very high potential cost.

We saw this endless InfoSec challenge played out in a very public forum last week when the former IT Administrator for the historically hapless city of Hoboken, New Jersey, Patrick Ricciardi, pled guilty to Federal hacking charges.  It seems the previous Mayor of Hoboken, Peter Cammarano, was forced to step down after being arrested on corruption charges in 2009, and Dawn Zimmer won a special election to become the new Mayor.  Unfortunately, many of the City’s civil servants, including Patrick Ricciardi, remained loyal to Cammarano and opposed to Zimmer, which split Hoboken’s management into two political factions.

Here is a link to the original story

With his expertise and access to the Government systems, it was a trivial matter for him to write a script that copied all the Mayor’s incoming and outgoing emails to an archive file on his computer.  Unfortunately for Mr. Ricciardi, one of the city officials he provided with the Mayor’s confidential emails printed one of them out and confronted her with it.  She, quite reasonably, but far too late, ordered a security audit that uncovered the archive file with the emails in it.

Employees like Patrick Ricciardi are what we call HPAs – Highly Privileged Accounts. Many of them are your best employees, but every now and then, one may go rogue, and that can represents a very serious risk to your business.  What is needed is a way to monitor not just access, but behavior, no matter what system, IP address or account they use to try and mask their activities.  A system with the intelligence and the vision across the network and application stack to understand who these people are and what they’re actually doing – in real time.  Forensics is not enough – mitigation is not enough – with some threats the only viable option is prevention.  IAMs can’t prevent these threats.  Neither can SIEMs.  When the access is legitimate, it is only the behavior that gives the rogue activity away.  Securonix would have flagged this activity even as Mr. Ricciardi was implementing it, allowing security personnel to lock it down and investigate it before any data was compromised.

Most people would agree that prevention through intelligence is a much better outcome than a high-profile federal prosecution.  That option exists today.