As cyberattacks speed up and become more complex, defenders need to do the same. One large component of this is privileged access management, or PAM. But PAM itself is always evolving. So how does your security operations center (SOC) keep up? And, what are the best, most modern ways to implement PAM today?
What Is Privileged Access Management?
The current breed of PAM software was at first designed to store passwords for privileged accounts. It’s grown beyond that over time. Now, it can include session monitoring, proxying, multifactor authentication, accounts discovery, approval workflow on checkout, user behavior analysis and software-as-a-service. New strategies for managing privileged accounts center on just-in-time (JIT) with zero standing privileges (ZSP) and identity analytics for managing risks related to granted privileges.
AI-Fueled Attacks
Many businesses and agencies have added PAM solutions with limited results. This leaves them open to ever more complex and evolving attacks. Attacks are evolving as threat actors experiment with artificial intelligence (AI) tools and the cloud. The speed at which they can attack today overwhelms SOC practices that still rely on manual processes. Attackers will use AI to search for openings and exploit them faster. For example, it can be used in user behavior emulation, tagging to normal activities and striking at AI speed.
PAM is one of the most effective controls for risk management linked to privileged accounts. Linking SOAR tools to the PAM architecture can greatly increase response speed and capabilities.
By the same token, tools such as SOAR, PAM and SIEM are evolving at breathtaking speed. So, the rapid pace of change can overwhelm security teams. The amount of events information that is part of deploying these toolsets makes it even worse. Using AI as an enabler for the SOC should be part of the next PAM architecture just like it’s part of the attackers’ toolsets.
High-Profile Attacks
Despite the advances PAM has seen over the last few years, businesses are still struggling to implement it and manage the risks related to privileged accounts. After all, managing large sets of data related to accounts and privileges while acting on security events in real-time is difficult. Look at the NotPetya ransomware campaign, probably the costliest cyberattack to date.
This attack would not have been successful in a patched and up-to-date environment. But many groups who use these tools don’t keep everything up to date all the time. There are always systems with some form of flaw. Meanwhile, attacks are fast outpacing the standard approach to defense. Colonial Pipeline paid $5 million in May 2021 due to a ransomware attack. On top of that, DarkSide malware has infected more than 2,200 victims since May 2019.
In the future, attackers will probably leverage AI and machine learning to tailor the attack to the context or to a target. They can use this to still get around the new breed of AI-enhanced tools, such as antivirus or email filtering. It’s just a matter of time for threat actors to leverage AI to get around even the newest PAM tools. There is always the need to have privileged access at some point, even if it’s indirect in nature.
The next generation of PAM architecture must respond to this. Ways to do this include AI and active response. Active response can leverage SOAR to respond to incidents and suspend accounts, disconnect sessions or block access.
Privileged Access Management and AI-Driven SOAR Architecture
Adding AI to PAM to fight AI involves putting a lot of different tools together. That’s true whether you’re working on-premise, hybrid or in the cloud. The architecture must provide a means for ingesting and analyzing vast amounts of data points. With those, it can go on to do proper automated decision-making and responses. From there, it must produce data in a format humans can read. After all, the end goal is to give your SOC visual information in a dashboard designed for risk management instead of solutions management.
The ultimate end goal is JIT ZSP solutions, as mentioned above. But this can take a long time to implement. Session monitoring without session management will remain a solution to respond to auditors’ risks. Businesses need to implement active, AI-driven user behavior analysis using existing PAM session management tools whenever possible.
Next-Generation Privileged Access Management for Today
How do you do this on a technical level? The architecture must include and be able to perform the task laid out in the Gartner document Critical Capabilities for Privileged Access Management. Furthermore, it must conform to the AI-driven active user behavior analysis and the associated dashboard.
To support PAM-SOAR, the user and entity behavior analytics tool must be highly scalable and elastic in terms of computing and storage resources. It must also adapt to the systems landscape for active response capabilities, wherever the assets are located. Using several different toolsets together will provide a base PAM-assisted SOAR system. Complement the base system by using cloud computing elastic resources, such as serverless computing services. AWS Lambda, DynamoDB, Kinesis and other cloud vendors have toolsets that can expand on what PAM-assisted SOAR can do. Take a look at the diagram below for a design thinking approach to AI-driven, active PAM-assisted SOAR architecture.
Businesses and agencies must develop their future PAM architecture now by using these various toolsets in a holistic approach. Just using a single PAM solution from one vendor checks the PAM off the to-do list. However, it still won’t mean you can play on a level field with threat actors who have no qualms about using AI open source tools and large amounts of cloud computing space. For that, you need the holistic approach.
IAM Principal Consultant, IBM