Hello. This is Kevin Donahue with Protiviti. Welcome to a new edition of Powerful Insights and our series on cyber security awareness. Protiviti has a series of webinars on cyber security awareness that, along with these accompanying podcasts, are intended to highlight ways organisations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximising value. In this series, I’m happy to be talking to our cyber security leaders who are speaking on our webinars and are in the market working with organisations addressing these challenges. You can find more information and listen to our webinars on-demand at protiviti.com/security. With that, I’m happy to introduce my two guests today, Eli Hajjar and Ryan James. Eli is a Senior Manager with our Security and Privacy group. He’s based in Houston, while Ryan is a Manager with our Security and Privacy practise. Ryan is based in Washington, D.C. Eli, thanks for joining me.
My pleasure. I’m glad to be here.
You know, I may have to give them a call and ask this question directly but the way that I have tried to explain it to them is that Identity & Access Management is really about us helping our customers control who has access to their systems, so giving the right people the right access at the right time from the right location, and not the inverse, and then within privileged as a subset, the only thing I’ve tried to explain is that privileged access is just that really high-risk stuff, and so there’s more emphasis around controlling that.
That sounds good. Ryan, how about you?
Yes. I think it’s probably going to be a mix bag of things. My parents have followed me along my career and they probably say, “Oh, he does development. He does cyber security. He does IT.” Each one of those things is a mouthful if you’re in those specific industries, but yes, I mean that’s probably how they would describe it somewhere around cyber security and infrastructure support.
The Privileged Access Management is really a huge subcomponent of the identity world because, frankly, it is what attackers care about. So, if you are some sort of malicious attacker, the way to exfiltrate data, cause a breach, et cetera, is getting access to privileged credentials. It is a field that all of the leading research firms like Gartner, call PAM, a top security project - there’s a bunch of these data breach investigations reports that call out upwards of three quarters of breaches involve the compromise of a privileged credential. So, frankly, it’s just top-of-mind for information security professionals, for auditors, for organisations, that’s regulatory and compliance requirements. And so really, what it boils down to is that’s what the bad guys want, and so we have to take steps to try to protect it against that.
Yes. And then one way or another, a privileged access issue. It’s possible that somebody breaches an organisation’s network by just getting an end user with a phishing campaign, for example. But for them to be able to get from that initial breach location to really what they want to do, they’re likely going to need to compromise a privileged credential that provides them access that is sufficiently high-risk to the organisation, for them to go and either grab the data they need, or take down a key system or something, so that’s really what makes PAM, Privileged Access Management, so important.
One of the biggest myths that I come across time and time again, and this is always at some level, regardless of the scope of the project, is that there seems to be some confusion or some myths around what privileged access really is. I think when I’ve had discussions with customers in the past, it seems like their understanding of what privileged access or privileged account is really just limited to those traditional administrator accounts on servers or databases. That just isn’t the case, especially nowadays. Privileged access goes far beyond, in my opinion, than just those traditional infrastructure accounts you use to support, like a server or an application or a database. It’s really any account that has some level of risk that can be associated with the access that account is given. Typically, when I’m speaking to customers, I try to highlight that. You may have your original, traditional understanding of what privileged account is, but let’s revisit that conversation. Let’s put that aside for a second and let’s go take a look at what’s important to you as an organisation. Where is the risk? Let’s have that conversation, and then let’s go back and look at what you originally thought were privileged accounts. How does that now change your thinking? Nine times out of 10 it changes their thinking about privileged access, which translates back to privileged account management in the scope of privileged accounts and their environment.
Yes. That makes complete sense. Eli, maybe it’s what you just described maybe it’s something else, but what do you see as the biggest challenge facing your clients right now?
And Ryan, Eli’s response to that is a good segue to my next question for you. Again, maybe it touches on some of those issues, but what’s the one question you’re asked most often by companies interested or wanting to know more about PAM, and of course, how do you answer it?
Yes, so really quite frankly, I’m mostly technical. The most common question really is, “How do we get started?” The short and dirty answer to that - I often tell customers is, “You need to get it handled in the scope of privileged access.” That would be the first part. So if they’re coming into this field brand new, what do we need to do to begin protecting privileged accounts, it’s we need to understand what is the scope of privileged accounts, and that kind of ties in, I think, pretty closely to what Eli was talking about, and what I was talking about earlier is understanding, “Okay. Well, where is our risk?” and “What are the accounts that are used to access that information that might have risk around regulation, sensitive information, branding, reputation?” That’s really the big question. Where do we get started, and my answer is almost always, “You got to get it handled in the scope of privileged access in your environment.”
I have a quick question for one or both of you. Where does the multifactor authentication come into play here? Is this a helpful tool when it comes to privileged access management or is it something completely separate?
That’s a great point and great insight. Thank you. It’s been a pleasure speaking with both of you today. I want to mention that you out there can listen to our webinars on-demand on this topic and find other content from Protiviti related to these and other security issues at protiviti.com/security. One final question here, Eli, and Ryan you could chime in on this one too. With respect to privileged access management, and maybe some developments, what you see maybe coming over the next five, 10 years or more, what are you most curious about right now?
For me, it actually fairly aligns to what we talked about in our webinar a couple of weeks back. PAM solutions can provide a lot of really nice controls, a lot of really nice enhanced security around protecting these accounts, but in a lot of cases, the fact is, organisations are changing their posture, from a stance of, “We have to keep the bad guys out,” to a stance of, “They’re going to get in at some point, and so we need to be able to take better action when that happens. What that’s meaning in the PAM space is that some of the more reactive controls - for example, monitoring for something anomalous happening and then having a human look into it and make some determination on whether it was appropriate or not, escalating through some sort of incident response plan manually, in some cases that’s not really going to meet the needs anymore. There’s a lot of studies out there showing the average time to identify a breach is over a couple of months, two and a half or three months, while the time to be able to exfiltrate data from a breach is within a number of hours. So, what’s interesting to me, and what I think you’re going to see a lot more of is organisations deploying some of the automated response techniques where by defining the right use cases to look at as something anomalous happens, you have the technology in place to automatically take action without requiring human intervention. One of the examples we gave in the webinar is if somebody creates a new privileged account outside of the scope of the PAM solution, the PAM solution can then detect that and automatically vault that account and rotate its password so that whoever was doing that, even if it ends up being a justified action, we’ve now taken it into the management of the PAM tool, we’ve minimised that risk automatically, and the person can come back behind the scenes and go through the right checks and balances to get what they needed, but if it were in a various action you now in real time killed the ability for somebody to be able to do something with that new account. Those automated response and remediation techniques I think are ones that over the past couple of years some of the out-of-the-box technology capabilities were still catching up but I think that stuff is now here and ready so I think the next couple of years we’ll really start to show a lot more use of that automation, which I think is great.