Patrick Gray: We all know that privileged access management is an absolute pain in the ass - even just figuring out where the privileged accounts live and who is using them… Remediant set out to do something about this.
Tim Keeler: Based off a number of years spent as a breach consultant, helping enterprises deal with lots of kinds of breaches, a lot of them at the state-sponsored level… We found that the same attacks are hitting all the different enterprises in the same fashion… Doing the breakdown of a lot of different breaches, we found that companies are still struggling with some the fundamentals, including just understanding who has administrative rights in their entire company… the first challenge was just getting visibility [into privileged access]. When we took a look at what administrators do on a day-to-day basis, they're only logging into a handful of systems -- when the level of access their account has is to 24/7 access to thousands of systems, if not more in larger environments. So what we wanted to do was introduce this new concept of JITA. What that allows users to do is get time-based access to various systems to do their job.
Patrick Gray: Often the output [from PAM tools] is difficult to parse… collecting information on accounts isn't tremendously difficult. How do you display that information to an administrator in a way that makes sense and helps them to make better decisions? ... There are some companies that take the password vault approach. Is that similar to what you're doing? Tim Keeler: We've actually stepped aside from the whole password vault [approach], since that's where companies were really struggling to have successful implementations. Also, administrators are really creative and often find ways around the password vault. There's generally a pretty big disconnect between what the security teams think needs to be in the security vault and where the outlying administrator privilege exists.
Patrick Gray: I think what you're trying to say is that the development teams don't use [password vaults] Tim Keeler: It's extremely frustrating for them to use… when they have to jump through many hoops to use a password vault, it's counterproductive to their business… What we wanted to do was to forget about password vaults and bifurcating identities, and instead, create a really simple web interface with two-factor authentication that gives administrators time-limited access… we want to make it super easy.
You can listen to the entire episode here, which also features news about Alphabay, notPetya and an excellent interview with the Australian Prime Minister’s cybersecurity advisor Alastair MacGibbon.
As big fans of Risky Business and the work that Patrick does, we encourage you to subscribe to risky.biz via iTunes, SoundCloud or whichever podcast service you use.