Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Layered Privilege Security with Secret Server and Privilege Manager

Written by Joseph Carson

June 22nd, 2021

Nearly all major data breaches involve both compromised endpoints and compromised privileged credentials. You must address both of these attack vectors in a layered security strategy to effectively lower your risk of a cyber attack.

Layered security combines different security solutions into a coordinated, comprehensive strategy, the whole of which is greater than the sum of its parts. When endpoint security solutions like Privilege Manager work in concert with Privileged Access Management solutions like Secret Server, your overall security posture is stronger and risks are reduced.

Two links in the attack chain

Attackers seek access—or entry—to IT systems in which critical, sensitive data is stored. To obtain that access, they generally need passwords and other credentials. That’s why Secret Server is designed to enable password hygiene, encryption, rotation, and storage requirements that prevent stolen passwords. It works behind the scenes so users don’t need to see or even know their passwords to log into critical IT systems. They are less likely to share or save passwords in insecure ways, such as in their browser, and expose the organization to risk.

But password theft is only one step of a cyber criminal’s attack chain. Once an attacker successfully gains access to a system, they also need the ability to export data without detection, so they can sell it on the black market or ransom it off.

That’s where privilege management comes into play as a critical part of a layered security strategy. If a legitimate credential is abused, stolen, or exposed, it can allow significant harmful activity to occur by virtue of the privilege in that credential. Privilege gives a user authorization to bypass security restraints so they can do things general users can’t do—perhaps change configurations or download large amounts of data in the middle of the night. Or, even add themselves to an administrative or local administrator Group so they have higher levels of access to systems.

It’s critical to reduce privileges on endpoints to a least privilege state

The longer an attacker can “pwn” an endpoint, database, or application that stores data, the more data they can exfiltrate over time. For this reason, it is critical to minimize privileges on endpoints to a least privilege state with Privilege Manager. Then, even if an attacker steals a password and gains access to an endpoint, they can’t leverage privileged credentials to continue their mission, move laterally around the network, and do more damage to your organization.

Privilege Manager helps neutralize compromised credentials by controlling what can be done with them, enabling the principle of least privilege. It also prevents backdoor accounts from being created and third parties from deleting or tampering with core infrastructure server security controls, either intentionally or accidentally. It increases security controls such as reviews and approvals to build trust.

Temporary access elevation 

At times, people need elevated privileges to update critical applications or perform simple tasks, such as installing a local printer. Rather than provide standing privileges, you can set just-in-time, just-enough access on a temporary basis.

Secret Server handles privilege elevation with the Check Out Hooks feature. Administrators configure PowerShell, SSH, and SQL scripts to run pre- and post-checkout and check-in. Common use cases for these scripts involve the temporary elevation of an account and temporarily enabling an administrator or root-level account. This is available for any system compatible with PowerShell, SSH, and SQL. Using the Request for Access feature, this process can be further secured with multiple approvers and ticket system validation.

Privilege Manager uses policy-based controls to elevate applications users need without requiring administrator credentials or requesting IT support. It automatically adds trusted applications to an allow list, checks the latest threat intelligence from tools, such as VirusTotal and Blackberry Protect (formerly Cylance), to create blocklists, and adds execution rules for unknown applications in a restrict list.

IT teams decide how their policies will impact their end-users. For example, administrators can choose to sandbox an unknown application, so they don’t have access to system controls or operating-system configurations. Alternatively, administrators can choose to require approval before unknown applications are executed or choose to provide access to that application for a limited period of time. Because Privilege Manager elevates applications and not the user, it never leaves a window open for cyber criminals.

If you have both Secret Server and Privilege Manager, which system you use for privilege elevation depends on which approach you prefer. If you’re a PowerShell guru and want to create your own scripts, Secret Server’s Check Out Hooks may be for you. If you prefer to design policies and tap into threat intelligence tools, you may prefer Privilege Manager.

Either way, it’s important to consider the need for temporary just-in-time elevation in your privilege security plan so you can allow users to stay productive even without full administrative rights.

How to connect Secret Server and Privilege Manager

It’s easy and straightforward to connect Secret Server and Privilege Manager. Either product is available on-premise or in the cloud, and all systems work together seamlessly.

Secret Server serves as the authentication source for Privilege Manager to provide two-factor authentication options.

In addition, the local credentials managed by Privilege Manager can be stored in Secret Server. Secret Server’s RBAC and workflow options can be used to access the credentials as Secrets in Secret Server, making that access more secure.

Better together 

Secret Server and Privilege Manager are complementary security solutions. They work in tandem to increase privilege access security and tighten your attack surface. Think of them as a digital polygraph test to confirm the “truth” of user access and authorization.

There are many benefits to working with one partner for both privileged access management and privilege management solutions.

Because Secret Server and Privilege Manager share a common design system, IT, security, and business teams have a lower learning curve and adopt security best practices more readily.

Our technical support experts and professional services teams are skilled in both Secret Server and Privilege Manager and are there to support you as you implement and integrate these tools to achieve your goals.

Learn more in our on-demand webinar Secret Server & Privilege Manager: Protecting endpoints and their privileged credentials.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS