A report by Forrester once claimed that 80% of all security breaches involved the abuse or misuse of privileged credentials. Let’s accept for a moment that Forrester are right, and that privileged user accounts are the common denominator in a large percentage of security breaches. Knowing this, we’d expect to see all organisations well on the path to having clear processes, policy and controls in place to audit, track and manage such accounts. Sadly, this is not the case.
While the state of privileged user auditing has improved significantly since this report was published, it’s still far from widespread. The main places we’ve seen faster adoption came as a result of increased strictness of regulatory compliance (such as HIPAA, PCI, SOX and GDPR) rather than security. Fear of noncompliance appears to be a much greater motivator than the intrinsic security risk. I know the two are intertwined but, in term of the specifics, it would seem that those with a more process driven approach are in better shape.
Another not uncommon trend we’ve seen is the rate of adoption based on regions. The North American market is much more mindful of the problem of privilege abuse and rogue admins than EMEA or APAC. It’s plausible and likely this could be partly attributed to a greater culture of compliance and litigation than other regions. Promisingly, we’ve seen a change in attitude in many regions and organisations, especially within the UK and Europe. However, the reality is, the majority, namely more than 50% of mid to large sized enterprises, have yet to take a proactive approach to auditing and monitoring their most privileged user accounts.
Why is this still the case?
We’ve taken this question to market numerous times across tradeshows, one to one interviews and through our sales and pre-sales teams, and the stock answers we receive often circle the following responses.
We don’t have these kind of problems
It’s without a doubt better than it was, but there are a lot of people that just refuse to accept or have no visible evidence that privileged user accounts are a threat. While it’s the minority, it seems that some organisations are still in denial.
I thought we were doing it already
Perhaps it’s a communication thing, or perhaps it’s a process issue, but very often we see organizations in quite a bit of confusion as to who’s job is it to keep track of these things. With one business unit passing the buck to another.
We trust our admins
The majority of the time, this is true. But all it takes is one admin with a grudge and you’ve gone a serious problem. This is a reality that many organisations don’t want to face, but the fact is, it happens more often then we’d like to admit. Trust is not a security strategy. Apart from the fact that admins have the potential to go rogue, surely it’s important to ensure they have an audit trail to protect them?
The other challenge here of course is, all too often, those involved in choosing the solution are the same people that will be subject to the monitoring of the controls. So quite often, it’s only when there is an external driver (such as regulatory compliance) that admins will willingly encourage the use of such controls.
Solutions are too expensive
While such accounts do present a real, clear and present danger, the level of security often simply comes down to what’s in the budget. For a security team to justify a six-figure spend on a problem that is dangerous but potentially ‘quiet,’ is very difficult.
Busy putting out fires elsewhere
One commonly cited reason for not being more proactive, is a mentality of fighting fires. Organizations often choose to put a huge amount of resource and effort into protecting against threats from the outside; threats that, on the face of it, feel worse.
We don’t need a solution to do it
In many cases, organizations seem to think that native auditing is good enough when it comes to keeping track of changes, actions and activities of their privileged users. The fact is, there are so many reasons as to why this why native auditing isn’t good enough.
A lot of the above reasons simply don’t wash any more. There are a number of really strong vendors in this space that enable you to get the info you need to help with compliance and security. Many of these vendors are now financially viable, in some cases even proving an ROI in under 2 years.
Fortunately, I think most organisations have accepted that native auditing is too reactive and is lacking in many ways. The key challenges nowadays for organizations, when it comes to cybersecurity, are skill shortages and prioritisation. Threats are coming from all angles, and with so many marketing fuelled solutions being thrown around, it’s a tough job to know what’s real and what’s not.
How do you know which content is biased and which isn’t? Our view is that a grounded security strategy needs to start from the ground up, begin with questions and build from there. Take a look at this piece we wrote for SC Magazine a while back on this topic. Whether you pursue an Active Directory auditing solution or not, I urge you to think carefully about the common-sense questions around your most privileged user accounts. They pose a real and present danger if left unchecked.