Over the last year my company has worked on managing ever larger customer environments including some that require taking our auto-discovery of privileged accounts to the “next level”. Conceptually this means providing a solution that automatically discovers accounts, where they are used and how they are used. And then changing credentials on a regular basis without causing outages. This, in itself, is a much needed capability for most IT shops.
But, as it turns out, even with the best auto-discovery, the human element represents the core limitation in implementing security. Therefore, our philosophy is that by minimizing the involvement of humans, security is improved because the time to manage systems is minimized.
Today’s cyber-warriors implement nation-state attacks using their own automated solutions to probe systems for weaknesses, create phishing attacks and – once the target is breached – investigate, inventory and penetrate additional systems. The conclusion of many IT professionals at large organizations is that their perimeter defenses are good, but not perfect. Consequently they realize there are some systems on their networks controlled by outside and unauthorized entities.
So if we start with an understanding that there are always one or more intruders within our networks, what can be done to minimize the consequences of these intrusions? Obviously you want to limit the scope of how far an intruder can penetrate. This means maintaining unique credentials on each system. I also means regularly rotating domain administrator passwords on a frequency that assumes compromise within the last 24-48 hours.
Total Automation of Privileged Account Management
To protect against persistent attacks targeting a large enterprise, your security must be completely automated – not just a simple point-in-time discovery done by a systems administrator on his own schedule.
Here’s why: Consider some of today’s large critical national infrastructure organizations that have upwards of 20 million systems. It’s understood that these entities cannot manage that many machines using a web browser, nor from an appliance. To defend against serious foes, the security solution’s entire architecture needs to be distributed, n-tier, and subject to penetration testing on every layer. The solution also needs to be able to sustain compromise at various tiers and have a “plan-B” to recover via re-encryption and re-securing identities rapidly.
Our solution to this challenge is a new paradigm in privileged identity management where it’s assumed that every machine, identity and password may be privileged, and the management of certificates is just as important as credentials. To keep ahead of advanced nation-state foes, we introduced a fully documented API that allows the programmatic high level management of identity security. This API lets an organization, within the space of 5-10 lines of code, automate the continuous management of thousands of systems using a choice of web services or Microsoft PowerShell.
We understand how competent the other side is in penetrating your IT infrastructure. Our mission is to give you new and viable options to fully automate identity security so that you not only stay in the race, but well ahead of the pack.
What are your thoughts on best practices for protecting against automated security attacks? Leave a comment below.
You can also follow us on Twitter.