Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

Thycotic PAM, IT and
Cyber Security Webinars

Ongoing education, on-demand


Top 5 Things to Monitor on Privileged Accounts to Detect Outsider Exploitation and Insider Misuse

Watch the Webinar


We are hearing a lot about end user behavior analysis but let’s talk about applying the same principles to privileged user behavior analytics. UEBA (user entity behavior analysis) focuses on trying to baseline what’s normal activity for an end-user. Some UEBA solutions also try to establish peer group baselines as well. UEBA technology might examine workstation usage, server access, volume of information access, egress of information to removable media and cloud storage, email activity, program usage, website access and more.

But privileged user activity patterns are very different from end-user. Not only is privileged user activity different than end-user activity; privileged users constantly do things that would artificially increase their risks score or trigger false alerts if end-user assumptions are made about their behavior

  • you can expect privileged users to run administrative programs like PowerShell, cmd.exe and RDP clients
  • privileged users are going to use admin features like RunAs and connect to remote system with different credentials
  • privileged users will trigger new events in Windows 10 auditing designed to catch attackers scanning the system for vulnerable accounts

So the concept or goal of UEBA is great to apply to privileged users but we need to acknowledge that privileged accounts play by a different set of rules. On the one hand, PBA (privileged behavior analysis) can be more difficult because much admin activity is just too rare to establish what’s normal. After all, a lot of administration is about setting things and fixing problems.

On the other hand, to the degree your organization follows privileged access best practices, privileged users should operate in a much more limited scope of systems better defined and more easily predicted patterns. We can take advantage of that to better hone our sense of what’s normal behavior.

In this real-training-for-free ™ event we are going to identify the what to monitor about privileged accounts in order to catch

  • outsiders that have stolen privileged account credentials
  • insiders not following privileged policies and procedures and thus putting accounts at risk
  • malicious insiders

Some of the things to look at include

  • tying individual persons (admins) to any generic admin accounts they use
  • originating endpoints
  • which servers each person accesses for administration
  • time periods
  • frequency
  • comparison to similar admins (more practical the larger the organization)