Threat Intelligence and Privileged Access Management

Threat intelligence helps a cybersecurity team prioritize its work by focusing on the most serious threats.  In tandem, Privileged Access Management (PAM) strengthens the controls devised to counter such serious threats.

One thing that’s striking about so many massive data breaches is how the target tends to be caught off guard. “We had no idea they were even in our network,” is a comment heard way too often in the wake of serious security incidents. Yet, that’s the attacker’s dream: to be invisible… to be undetected until well after the attack has occurred.

Security professionals, of course, have the opposite goal. They want to know what threats are heading their way before they even appear at the perimeter. This is what “Threat Intelligence” is all about.  It’s a growing body of processes and practices geared toward giving cybersecurity teams the knowledge to make informed decisions by identifying security threats.

According to Gartner:

 “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Threat intelligence is intended to give cybersecurity teams the ability to keep up to date on the exploding amount of security information. This includes malicious actors, threat types, vulnerabilities, and so forth. Threat intelligence also involves giving security professionals the awareness they need to get more proactive about future threats.

Threat Intelligence and Privileged Access Management

Privileged Access Management (PAM) is about monitoring and managing which people have privileged or administrative access to critical systems. A privileged user is one who can modify system settings, setup or delete accounts, or access data (or destroy it.) As a result, the impersonation of privileged users is one of the most serious threats an organization can face.

Given the risks of unauthorized privileged access, it’s recommended that PAM be aligned with threat intelligence. PAM can play a big role in making threat intelligence proactive. If a threat involves gaining privileged access, then PAM can form the countermeasure. For example, if threat intelligence identifies a malicious actor, the PAM solution can be set to spot this actor and block him from any privileged sessions.

The WALLIX PAM Solution for Threat Intelligence

WALLIX enables proactive threat intelligence with PAM by providing a single point of privileged access policy definition and enforcement. The WALLIX Bastion proposes real-time analysis of command lines or applications executed by external users or third parties on a target device. Consequently, the Bastion administrator can enforce threat control by sending alert and shutting down any session with identified inappropriate behavior.

The WALLIX Bastion includes a Password Manager and Session Manager which offer a defense against access control risks, including those from external users and remote third parties. Organizations are vulnerable to threats when they grant privileged access rights to third parties, such as IT outsourcing firms. A hacker might penetrate the third party and use a stolen identity to gain privileged access to a customer’s systems, for example.

To defend against this threat, privileged users must clear a portal, Access Manager, before gaining access to the system. Once it sets access policies, Access Manager knows the administrative privileges of every user seeking access. When WALLIX output is correlated with threat intelligence, it can flag suspicious activities and prevent a threat from turning into an incident.

A Password Vault reinforces internal controls by stopping admins from changing settings on a local device.  This is useful for threats that involve social engineering, where a malicious actor might gain physical access to a system.

WALLIX Session Manager tracks and records privileged access sessions, creating an audit log. All privileged users and devices communicating internally and externally with the network can be tracked in real time.

The WALLIX Bastion comes with simplified installation, use and control. It can be quickly deployed as a single gateway that admins log into once to access all its features. It’s adaptable due to its agentless architecture. The need to install dedicated PAM software agents on individual systems can inhibit consistent use of PAM — exposing the organization to threats.

Putting it Together

Threat intelligence and PAM should inform each other. Putting them together will mean different things at different organizations. It may be actual integration of systems. It could be a team process, where people share threat intelligence and work to align PAM policies with perceived threats. The main goal, though, is to put the two together in some meaningful way to reduce risks. There are too many serious threats out there that could affect privileged access to ignore the issue.