Too much data, or too little?
Organizations routinely monitor user accounts in an attempt to improve their security posture.
However, it can be difficult to collect the right amount of data—too little data, and the company cannot effectively inform security professionals’ decisions; too much, and the company quickly reaches data overload. The proverbial “needle in a haystack” soon follows.
Read on as we explain how leading enterprises are taking a more strategic and systematic approach to this security challenge.
The “golden key holders”
The key to mitigating the risks mentioned above is to intelligently prioritize the data collection process for “high privileged accounts” (HPA), using automation combined with human interaction to focus on the accounts that pose the biggest risk.
First, evaluate which employees have been granted HPA. These “golden key holders” have access to sensitive processes, data sets or services—thus they can inadvertently or maliciously introduce the highest potential impact and risk to an organization.
Second, deploy user behavior analytics focused on the HPAs to more quickly identify and respond to security concerns.
We then concentrate on the highest-risk profiles. Unlike normal accounts with standard access to enterprise systems, HPAs pose additional risk.
That’s because they have greatest access to information and potential capabilities that can be enacted if compromised by an external threat or an insider.
Insider threats, in particular, are extremely dangerous because their familiarity with internal systems makes it possible to do more damage across the enterprise—and to do it more quickly.
Additionally, insiders may be provisioned access that a malevolent outsider would have to take additional steps to obtain.
By targeting high privilege account holders, malicious actors may be able to shorten or skip steps in the attack chain, specifically in gaining footholds and reconnaissance. This makes timely detections even more critical in the case of insider threats.
Seize a security advantage
Organizations can incorporate user behavior analytics into their security processes to automate portions of the detection and remediation process.
These specialized analytics form models of user behavior—in this case, the HPAs—and help to detect deviations from patterns that security professionals might miss.
To implement a full-scale, high privileged account monitoring program, organizations must have a strong foundation in security with clearly defined processes for performing data identification and classification activities.
Organizations that take this strategic and vital step can empower their cyber defenders and substantially improve their security posture.
By selectively monitoring HPAs through user behavior analytics, you not only reduce the noise associated with account monitoring, you also target accounts that insider threat actors are likely to use and external threat actors will attempt to compromise to achieve their goals.
Furthermore, selectively monitoring HPAs reduces the data load and focuses the user behavior analytics on the more valuable assets in the company.