When we think about privilege access management (PAM), we typically think about it first as preventive control. PAM solutions manage who has privileged access to systems, enforce least-privilege principles and monitor and record privileged user activity. This is crucial for preventing misuse of high-level permissions and ensuring accountability. We also know that PAM is particularly useful for audit and compliance, helping those teams to satisfy audit requirements by producing documentation as to who can access privileged resources and who has accessed them in the past.
But there is another area, often under-utilized, in which a PAM solution can provide a great deal of value to an organization: PAM’s capacity as a detective control feeding a SIEM or Security Data Lake and its potential to augment the capabilities of Security Operations and Threat Hunting teams.
Streamline your PAM strategy with Safeguard
For example, in addition to providing information related to who checked out a privileged credential or accessed a privileged asset, One Identity’s PAM solution, Safeguard, can report on what commands were run during the session and what window titles appeared during the session. It can also calculate a “Risk” score corresponding to how closely each session resembles normal activity compared to a rolling baseline of activity across the following dimensions:
- The hosts that are accessed
- The time of day that they are accessed
- The keyboard activity and mouse movement of the user (useful for detecting bots)
- The commands run and windows titles that appeared during the session
All this information can be of great value to other security tools in the pursuit of greater visibility and situational awareness, but often this data resides with the team managing privileged access and not the teams responsible for managing incidents or proactively hunting for security threats. To make the most of their Safeguard investment, organizations should make Safeguard’s PAM data available to other teams and tools, including SIEMs and Security Data Lakes. This can be accomplished quite easily by leveraging Safeguard’s syslog capabilities.
Collect and process logs with Syslog-ng
However, while the aphorism is true that more visibility enables better security, it is also true that sometimes an over-abundance of data can distract from its meaning. Additionally, many SIEMs struggle to be able to digest large volumes of log data, so it isn’t necessarily true that sending more logs to the SIEM will result in better security. Care should be taken to make sure that the SIEM (or other tool) can handle the volume and make use of the data before simply pointing all of Safeguard’s syslog data at it.
This is where another One Identity product, Syslog-ng, can provide a lot of value to organizations in helping them to optimize their security tool investment. Syslog-ng is a high-performance log collector and processor. It can be used as an intermediary between log sources and security tools where it can enrich, transform, and filter logs so that the appropriate logs are sent to the appropriate tool at a consumable rate. Syslog-ng can also provide long-term storage of logs and includes an intuitive GUI and powerful search interface.
Safeguard can also share its data with other teams through its integration with Microsoft Power BI, an analytics and data visualization platform that simplifies the creation of interactive reports and dashboards. Safeguard includes connectors and pre-built report templates for Power BI. All of Safeguard’s session and audit log data is made available to Power BI to build impactful dashboards and investigation tools, all of which can be easily shared through the Microsoft ecosystem.
Benefits of integrating Safeguard for PAM with SIEM
What benefits can you expect when you integrate Safeguard data with your Security Operations team to ensure the best PAM for your SIEM?
Enhanced visibility and context: Safeguard provides detailed logs of privileged user activities. When this PAM solution is integrated with a SIEM, these logs can be correlated with other security data such as network traffic and user behavior. This correlation provides richer context and enhances the visibility of potential threats. For example, if an unusual access attempt is detected by the SIEM, correlating it with privileged access logs from PAM could help identify whether the attempt involved a compromised privileged user and, if so, could allow analysts to leverage a full recording of the session.
Improved threat detection: Safeguard tracks and records privileged user actions, which can be crucial for detecting insider threats or compromised accounts. Safeguard provides a risk score for each recorded session, which corresponds to the degree to which the activity in that session differed from past activity. This risk score can be leveraged to act as a sorting mechanism to assist with the triage of potential incidents, enabling security analysts to focus their limited time on those events which are more likely to be related to nefarious activity.
Improved return on investment: Of course, it is obvious that if you can increase the value that you derive out of a tool without increasing its cost, you will improve the return on investment. Safeguard makes this possible through the integration of PAM with SIEM for a more secure IT infrastructure.
If you would like to learn more about Safeguard, please visit https://www.oneidentity.com/one-identity-safeguard/
