This is a mirror of an article I wrote for the Centrify Community.
To be an effective security analyst, one must employ techniques like the continuous (or constant) improvement process (CIP); this concept is commonly applied in manufacturing, but it has been extended to many disciplines. The idea is to optimize the elements (people-process-technology) of a product, process or service to make it better.
In the security discipline, this requires partnership with stakeholders (infrastructure, application and business leads) to makes sure the process is not about "pointing out what's wrong" but about minimizing risk and working together to constantly align with the best security practices. This means that your stakeholders need to be part of the optimization process. This is not a top/down or policy-based approach; the idea is that everyone understands the risk factors around databreaches and can volunteer information to optimize the current security posture of the organization.
In this article I discuss the metrics provided by Centrify and integrations with third parties to aid in this constant improvement process.
We'll start with the information produced by our Centrify Server Suite (CSS). For those who don't know, CSS provides:
- Centralized administration for UNIX, Linux and OS X leveraging Active Directory
- Streamlined authentication leveraging Microsoft Kerberos
- Strong Authentication (smart card) and MFA for UNIX, Linux, OS X and Windows systems.
- Privilege Management leveraging RBAC for UNIX, LInux, and Windows systems.
- Session capture + replay and access/privilege tracking for UNIX, LInux, and Windows systems.
Centrify Zones - A powerful ally
Centrify Server Suite has been successful due to the introduction of Centrify Zones. This exclusive capability is implemented as a set of AD objects that allow the following capabilities:
- Cross-platform groupings of systems based on a governance model (zones, child-zones, computer roles)
- Access Control enforcement (least access) - only users that are UNIX identified or authorized can access a system
- UNIX identity management - consolidated AD and Local account (user/group) management
- Role-based access control - enforcement of how (what protocol or method) and what (commands, apps, desktops) can be run with privilege: without exposing a password.
The Goal: Least Access & Least Privilege Management
Before you can embark in the journey to operational efficiency, you must understand what are the goals and establish baselines; each goal can be an independent program or project; after all, "you can't manage what you can't measure."
The universal goal of privilege identity management (PIM) is to implement least access and least privilege principles. This means that users only can access the systems they require to perform their functions and their privileges don't exceed what's required for them to do their assigned duties. Shared accounts or powerful roles must have limited use, only with approval in a temporary basis.
With that established we can look at access and privileges using 4 dimensions: Users, Groups, Roles and Systems. The reasoning behind this model is simple: in mature environments, access and privileges are not assigned to the individual, but to groups (e.g. AD security groups) and these may be applied in the context of a system. Let's review some user-based metrics that can be gathered using Centrify Report Services (a tool included with CSS Standard Edition) and our integration with Splunk.
User View Metrics
Who are the users with most access on systems?
This is a basic metric because it defines your universe. It allows you to start a conversation about attestation and use the challenge "do you really need access to all these systems?"; another conversation starter is identifying non-IT or business users that have access to systems and why; if the answer is "It takes too long for me to get access" then the optimization is at the process-granting level.
Users with more access roles
This metric allows you to identify users with aggregated roles that grant access. In organizations that have not embraced temporary access control, the reports associated with this metric allows us to identify instances of granting too many access rights. This is also a great opportunity to identify redundancies and problems with the role/privilege design.
Example: note the report above. Diana is already a powerful user, but she has a role-assignment override in the Ubuntu system named engubu14. This is unnecessary because she's already a zone-level cross-platform sysadmin.
Local UNIX Accounts Managed by Centrify
If you are leveraging Centrify Zones to manage local user accounts in your UNIX-like systems, understanding how these fit in the access model is important. The question to be asked is how are the passwords for these local accounts being managed. You can leverage Centrify Privilege Service or your existing SAPM solution.
Who are the users with most privileges? Do they require those privileges?
This is another baseline metric. Now the focus is on privileges and understanding the population of users that have privileges and its context is important. If temporary access control is not being used, then attestation exercises should focus on why the privileges are needed. If the answer is that "app X breaks all the time and I need to reboot from home" then target the root of the problem (the App).
Privileged vs. Access Users
Now we're using the information in Centrify Zones about access and privileges to understand the landscape and profiles of users.
Who are the most active privileged users?
This metric can be used to find out who are really using their privileges. Watch out for users that haven't been active in a 30-day period.
How frequently are the privileged users changing their passwords?
This is a classic identity management metric. Not only this allows to identify poor practices (like account without expiration) but also compliance to policy. Frequent password changes (e.g. within a 2-3 minute threshold) if group policy allows, should also be subject to a security operations alarm.
User Overview - Attestation Report
Logins by User - Organization View
Identifying our most active users (leveraging access rights) will allow us to correlate activity vs. our universe. Make a habit of running this with a 30-day threshold to find out what users fall out of the access report - those are great candidates for temporary access.
User Overview - Most Privileged User Commands (cross-platform)
These types of reports can be generated using different criteria (time period, user, system, etc); These could allow us to identify what are the user's biases and preferences. For example, looks like my sysadmin performs edits of files most of the time.
Making the most of your Centrify Investment
Most organizations have a journey that may or may not have been completed, perhaps it was all about authentication at one time, however Centrify has invested heavily to shift to the needs to control privileges the right way, by promoting the least access and least privilege principles across client/server platforms. Today we continue to innovate by providing multi-factor authentication; as we go to hybrid clouds, you can rest assured that we'll continue to innovate and provide the valuable insight needed to make the right decisions. In the next entry, we'll discuss the other dimensions.
- Centrify Server Suite Report Services Guide - https://docs.centrify.com/en/css/suite2016/centrify-reporting-guide.pdf
- Centrify Splunk App - https://splunkbase.splunk.com/app/3272/
- Centrify Splunk Add-on - https://splunkbase.splunk.com/app/3271/