Protecting your IT estate against executive compromise

Your company’s Chief Financial Officer is supposedly working from home in Florida. So why is his laptop showing up in New York City connected to an unknown WiFi access point that appears to be in a Starbucks? Such a revelation should set off alarms in any IT security team. What if a criminal gang has taken the CFOs account credentials and is mounting a business email compromise (BEC) social engineering attack? Or what if instead of the CFO it’s your chief software architect and the attack looks like it’s looting your private GitHub repos or attempting to make code changes that could allow the insertion of a Magecart skimmer on your shopping cart page?

Employees with high privileges pose a bigger cybersecurity risk

The reality is IT security is tasked with protecting all endpoints and internal assets against compromise. But executives and other employees in high-level roles have access privileges to the most sensitive systems. When their accounts or devices are compromised, the monetary and security risks to an enterprise are markedly higher. 

For this reason, it is absolutely essential that IT asset management systems have the capability to treat assets for this class of high-privilege employees differently. At this level, additional security measures are needed to ensure a higher degree of scrutiny and caution against any activities associated with executives. Unfortunately, applying this higher standard is challenging when an IT organization uses multiple asset and device management systems but lacks an integrated source of truth that captures, validates, and dedupes all IT assets into a single trusted database. 

For this reason, the minimum requirement for using an ITAM system is integration of all data, coupled with accuracy and trust; your IT security team must be able to quickly tie a device, piece of software or SaaS account to the right user and understand the implications of that user’s role inside your enterprise. These integrated ITAM systems must reside above multiple static ITAM systems that are stovepiped and built for more limited tasks like managing mobile, Apple or Windows devices. 

3 triggers to watch for indicators of compromise 

Because integrated ITAM is the single source of truth for all the systems linked to a specific individual, it is also the logical place to build rules and triggers to spot and stop attacks. 

Location: When a high-privilege user shows up in a new part of the world or in a location that raises questions, this can be a sign of identity theft, account theft or theft of a physical device. A user showing up in two locations simultaneously or within a suspiciously shortly window could indicate device or account spoofing. As user location data is recorded for devices and accounts, it can be mapped back to specific users in an integrated ITAM. IT teams can set up their integrated ITAM platform to trigger a workflow and set of tickets whenever a high-privilege user shows up in an unrecognized location. That workflow could assign someone on the IT security team to contact the user and verify their location or, if the location is highly questionable (e.g. in a rogue state) to immediately cut off access to networks and systems holding sensitive data. 

Recency : When high-privilege employees fail to log on to their email or calendar for more than 24 hours, this could be a sign that their device was stolen or that they are unable to log in due to some other reason (loss of 2FA tokens or Ubikey, for example). For lack of  recent log-ins, the user’s systems could be paused and additional precautions put in place to verify their identity, or mandate a voice confirmation.

Frequency: Alternatively, if they are logging on and off quickly during a short window, that could indicate their credentials are compromised and they’re being kicked off their accounts by the hacker who stole or phished their log-in info. This activity should trigger a workflow that locks out all of the user’s systems and mandates a more aggressive verification process since the activity is more likely to be associated with fraud and their mobile device or other source of 2FA might be compromised (through e.g. a SIM card swap).  

Beyond the basics: AI, Machine Learning and Advanced Behavioral Analysis

Basic automated triggers can markedly improve your security stance. If your integrated ITAM has cleaned and normalized all your IT asset data, then the data and activities associated with devices, accounts and users becomes programmatically addressable. This means your team can start to think about running AI and ML tools against activities to spot more subtle Indicators of Compromise such as log-ins during the early morning hours one or two nights a week. This is the future of ITAM, where machines are analyzing and managing machines to help humans work smarter. For now, however, putting in place simple but effective rules to guardrail high-privilege users can improve the security stance of your organization and give your most senior people greater peace of mind.